Iot device grouping and labeling

ABSTRACT

Techniques for grouping and labeling Internet of Things (IoT) devices are disclosed. A first set of raw events associated with a first IoT device is identified, including a transmission made by the first IoT device. A communication manner of the first IoT device is determined, based at least in part on a communication manner of the first IoT device. The first set of raw events over the first time period is examined to generate one or more formatted events of the first IoT device. The formatted events are used to extract a set of features. Similar processing is performed with respect to a second IoT device. A context-based IoT device grouping model is generated based on at least one of: (1) the features extracted for the first IoT device or (2) the features extracted for the second IoT device. The model is applied to determine that a third IoT device belongs to a particular group. A deviation by the third IoT device from group behavior is detected and an alert is generated in response.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/353,682, entitled IOT DEVICE GROUPING AND LABELING filed Jun. 21,2021, which is a continuation of U.S. patent application Ser. No.15/894,861, now U.S. Pat. No. 11,082,296, entitled IOT DEVICE GROUPINGAND LABELING filed Feb. 12, 2018, which claims priority to U.S.Provisional Patent Application No. 62/578,266, filed Oct. 27, 2017, eachof which is incorporated by reference herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a diagram of an example of a system for providingcontext-aware Internet of Things (IoT) identification.

FIG. 2 depicts a flowchart of an example of a method forgrouping/labeling IoT devices in operation.

FIG. 3 depicts a diagram of an example context aware IoT eventaggregation system.

FIG. 4 depicts a flowchart of an example of a method for aggregatingevents occurring at IoT devices based on context for purposes ofgrouping/labeling IoT devices in operation.

FIG. 5 depicts a diagram of an example context-based IoT device groupingsystem.

FIG. 6 depicts a flowchart of an example of a method for performinggrouping/labeling of IoT devices in operation using aggregated eventsoccurring in the operation of the IoT device.

FIG. 7 depicts a diagram of an example context-based IoT device groupingmodel generation system.

FIG. 8 depicts a flowchart of an example of a method for generating acontext based IoT device grouping model.

FIG. 9 depicts a diagram of an example context-based IoT device groupingmodel maintenance system.

FIG. 10 depicts a flowchart of an example of a method for maintaining acontext-based IoT device grouping for use in grouping/labeling IoTdevices in operation.

FIG. 11 depicts a diagram of an example of a system forgrouping/labeling IoT devices in operation.

FIG. 12 depicts a diagram of another example of a system forgrouping/labeling IoT devices in operation.

FIG. 13 depicts a diagram of still another example of a system forgrouping/labeling IoT devices in operation.

FIG. 14 depicts a diagram of still another example of a system forgrouping/labeling IoT devices in operation.

FIG. 15 depicts a diagram of still another example of a system forgrouping/labeling IoT devices in operation.

FIG. 16 depicts a diagram of an example of a system forgrouping/labeling IoT devices through a mirror port.

FIG. 17 depicts a diagram of an example of a IoT devicegrouping/labeling management system.

FIG. 18 is a diagram of an example of a cloud-based grouping andlabeling engine with semi-autonomous grouping and labeling engines.

DETAILED DESCRIPTION

FIG. 1 depicts a diagram 100 of an example of a system for identifyingInternet of Things (IoT) devices. The system of the example of FIG. 1includes a computer-readable medium 102, IoT device 104-1 . . . 104-n(hereinafter referred to as “IoT devices 104”) coupled to thecomputer-readable medium 102, and a context-aware IoT deviceidentification system 106.

The computer-readable medium 102 and other computer readable mediumsdiscussed in this paper are intended to include all mediums that arestatutory (e.g., in the United States, under 35 U.S.C. 101), and tospecifically exclude all mediums that are non-statutory in nature to theextent that the exclusion is necessary for a claim that includes thecomputer-readable medium to be valid. Known statutory computer-readablemediums include hardware (e.g., registers, random access memory (RAM),non-volatile (NV) storage, to name a few), but may or may not be limitedto hardware.

The computer-readable medium 102 and other computer readable mediumsdiscussed in this paper are intended to represent a variety ofpotentially applicable technologies. For example, the computer-readablemedium 102 can be used to form a network or part of a network. Where twocomponents are co-located on a device, the computer-readable medium 102can include a bus or other data conduit or plane. Where a firstcomponent is co-located on one device and a second component is locatedon a different device, the computer-readable medium 102 can include awireless or wired back-end network or LAN. The computer-readable medium102 can also encompass a relevant portion of a WAN or other network, ifapplicable.

The devices, systems, and computer-readable mediums described in thispaper can be implemented as a computer system or parts of a computersystem or a plurality of computer systems. In general, a computer systemwill include a processor, memory, non-volatile storage, and aninterface. A typical computer system will usually include at least aprocessor, memory, and a device (e.g., a bus) coupling the memory to theprocessor. The processor can be, for example, a general-purpose centralprocessing unit (CPU), such as a microprocessor, or a special-purposeprocessor, such as a microcontroller.

The memory can include, by way of example but not limitation, randomaccess memory (RAM), such as dynamic RAM (DRAM) and static RAM (SRAM).The memory can be local, remote, or distributed. The bus can also couplethe processor to non-volatile storage. The non-volatile storage is oftena magnetic floppy or hard disk, a magnetic-optical disk, an opticaldisk, a read-only memory (ROM), such as a CD-ROM, EPROM, or EEPROM, amagnetic or optical card, or another form of storage for large amountsof data. Some of this data is often written, by a direct memory accessprocess, into memory during execution of software on the computersystem. The non-volatile storage can be local, remote, or distributed.The non-volatile storage is optional because systems can be created withall applicable data available in memory.

Software is typically stored in the non-volatile storage. Indeed, forlarge programs, it may not even be possible to store the entire programin the memory. Nevertheless, it should be understood that for softwareto run, if necessary, it is moved to a computer-readable locationappropriate for processing, and for illustrative purposes, that locationis referred to as the memory in this paper. Even when software is movedto the memory for execution, the processor will typically make use ofhardware registers to store values associated with the software, andlocal cache that, ideally, serves to speed up execution. As used herein,a software program is assumed to be stored at an applicable known orconvenient location (from non-volatile storage to hardware registers)when the software program is referred to as “implemented in acomputer-readable storage medium.” A processor is considered to be“configured to execute a program” when at least one value associatedwith the program is stored in a register readable by the processor.

In one example of operation, a computer system can be controlled byoperating system software, which is a software program that includes afile management system, such as a disk operating system. One example ofoperating system software with associated file management systemsoftware is the family of operating systems known as Windows® fromMicrosoft Corporation of Redmond, Washington, and their associated filemanagement systems. Another example of operating system software withits associated file management system software is the Linux operatingsystem and its associated file management system. The file managementsystem is typically stored in the non-volatile storage and causes theprocessor to execute the various acts required by the operating systemto input and output data and to store data in the memory, includingstoring files on the non-volatile storage.

The bus can also couple the processor to the interface. The interfacecan include one or more input and/or output (I/O) devices. Dependingupon implementation-specific or other considerations, the I/O devicescan include, by way of example but not limitation, a keyboard, a mouseor other pointing device, disk drives, printers, a scanner, and otherI/O devices, including a display device. The display device can include,by way of example but not limitation, a cathode ray tube (CRT), liquidcrystal display (LCD), or some other applicable known or convenientdisplay device. The interface can include one or more of a modem ornetwork interface. It will be appreciated that a modem or networkinterface can be considered to be part of the computer system. Theinterface can include an analog modem, ISDN modem, cable modem, tokenring interface, satellite transmission interface (e.g. “direct PC”), orother interfaces for coupling a computer system to other computersystems. Interfaces enable computer systems and other devices to becoupled together in a network.

The computer systems can be compatible with or implemented as part of orthrough a cloud-based computing system. As used in this paper, acloud-based computing system is a system that provides virtualizedcomputing resources, software and/or information to end user devices.The computing resources, software and/or information can be virtualizedby maintaining centralized services and resources that the edge devicescan access over a communication interface, such as a network. “Cloud”may be a marketing term and for the purposes of this paper can includeany of the networks described herein. The cloud-based computing systemcan involve a subscription for services or use a utility pricing model.Users can access the protocols of the cloud-based computing systemthrough a web browser or other container application located on theirend user device.

A computer system can be implemented as an engine, as part of an engineor through multiple engines. As used in this paper, an engine includesone or more processors or a portion thereof. A portion of one or moreprocessors can include some portion of hardware less than all of thehardware comprising any given one or more processors, such as a subsetof registers, the portion of the processor dedicated to one or morethreads of a multi-threaded processor, a time slice during which theprocessor is wholly or partially dedicated to carrying out part of theengine's functionality, or the like. As such, a first engine and asecond engine can have one or more dedicated processors or a firstengine and a second engine can share one or more processors with oneanother or other engines. Depending upon implementation-specific orother considerations, an engine can be centralized or its functionalitydistributed. An engine can include hardware, firmware, or softwareembodied in a computer-readable medium for execution by the processor.The processor transforms data into new data using implemented datastructures and methods, such as is described with reference to the FIGS.in this paper.

The engines described in this paper, or the engines through which thesystems and devices described in this paper can be implemented, can becloud-based engines. As used in this paper, a cloud-based engine is anengine that can run applications and/or functionalities using acloud-based computing system. A cloud-based engine uses remote or hostedcomputing resources with a middle layer to hide hardware details. All orportions of the applications and/or functionalities can be distributedacross multiple computing devices, and need not be restricted to onlyone computing device. In some embodiments, the cloud-based engines canexecute functionalities and/or modules that end users access through aweb browser or container application without having the functionalitiesand/or modules installed locally on the end-users' computing devices.

As used in this paper, datastores are intended to include repositorieshaving any applicable organization of data, including tables,comma-separated values (CSV) files, traditional databases (e.g., SQL),or other applicable known or convenient organizational formats.Datastores can be implemented, for example, as software embodied in aphysical computer-readable medium on a specific-purpose machine, infirmware, in hardware, in a combination thereof, or in an applicableknown or convenient device or system. Datastore-associated components,such as database interfaces, can be considered “part of” a datastore,part of some other system component, or a combination thereof, thoughthe physical location and other characteristics of datastore-associatedcomponents is not critical for an understanding of the techniquesdescribed in this paper.

Datastores can include data structures. As used in this paper, a datastructure is associated with a particular way of storing and organizingdata in a computer so that it can be used efficiently within a givencontext. Data structures are generally based on the ability of acomputer to fetch and store data at any place in its memory, specifiedby an address, a bit string that can be itself stored in memory andmanipulated by the program. Thus, some data structures are based oncomputing the addresses of data items with arithmetic operations; whileother data structures are based on storing addresses of data itemswithin the structure itself. Many data structures use both principles,sometimes combined in non-trivial ways. The implementation of a datastructure usually entails writing a set of procedures that create andmanipulate instances of that structure. The datastores, described inthis paper, can be cloud-based datastores. A cloud-based datastore is adatastore that is compatible with cloud-based computing systems andengines.

Returning to the example of FIG. 1 , the IoT devices 104 are intended torepresent devices with wired or wireless interfaces through which theIoT devices 104 can send and receive data over wired and wirelessconnections, more specifically, devices purposely built or specificallypurposed device with predictable or stable behavior patterns. Examplesof IoT devices include thermostats, mobile devices, biological managers,sensory devices, and functionality performing devices. The IoT devices104 can include unique identifiers which can be used in the transmissionof data through a network. Unique identifiers of the IoT devices 104 caninclude identifiers created in accordance with Internet Protocol version4 (hereinafter referred to as “IPv4”) or identifiers created inaccordance with Internet Protocol version 6 (hereinafter referred to as“IPv6”), of which both protocol versions are hereby incorporated byreference. Instead or in addition, a unique identifier can include a MACaddress or a portion thereof. Depending upon implementation-specific orother considerations, the IoT devices 104 can include applicablecommunication interfaces for receiving and sending data according to anapplicable wireless device protocol. Examples of applicable wirelessdevice protocols include Wi-Fi, ZigBee®, Bluetooth®, and otherapplicable low-power communication standards.

In a specific implementation, the IoT devices 104 act as stations. Astation, as used in this paper, can be referred to as a device with amedia access control (MAC) address and a physical layer (PHY) interfaceto a wireless medium that complies with the IEEE 802.11 standard. Thus,for example, the network devices can be referred to as stations, ifapplicable. IEEE 802.11a-1999, IEEE 802.11b-1999, IEEE 802.11g-2003,IEEE 802.11-2007, and IEEE 802.11n TGn Draft 8.0 (2009) are incorporatedby reference. As used in this paper, a system that is 802.1standards-compatible or 802.11 standards-compliant complies with atleast some of one or more of the incorporated documents' requirementsand/or recommendations, or requirements and/or recommendations fromearlier drafts of the documents, and includes Wi-Fi systems. Wi-Fi is anon-technical description that is generally correlated with the IEEE802.11 standards, as well as Wi-Fi Protected Access (WPA) and WPA2security standards, and the Extensible Authentication Protocol (EAP)standard. In alternative embodiments, a station may comply with adifferent standard than Wi-Fi or IEEE 802.11, may be referred to assomething other than a “station,” and may have different interfaces to awireless or other medium.

In a specific implementation, the IoT devices 104 are configured toaccess network services in compliance with IEEE 802.3. IEEE 802.3 is aworking group and a collection of IEEE standards produced by the workinggroup defining the physical layer and data link layer's MAC of wiredEthernet. This is generally a local area network technology with somewide area network applications. Physical connections are typically madebetween nodes and/or infrastructure devices (hubs, switches, routers) byvarious types of copper or fiber cable. IEEE 802.3 is a technology thatsupports the IEEE 802.1 network architecture. As is well-known in therelevant art, IEEE 802.11 is a working group and collection of standardsfor implementing wireless local area network (WLAN) computercommunication in the 2.4, 3.6 and 5 GHz frequency bands. The baseversion of the standard IEEE 802.11-2007 has had subsequent amendments.These standards provide the basis for wireless network products usingthe Wi-Fi brand. IEEE 802.1 and 802.3 are incorporated by reference.

In a specific implementation, the IoT devices 104 are purposefully builtor configured IoT devices. In being purposely built IoT devices, the IoTdevices 104 are built to have specific operational parameters. Forexample, a thermometer may be built to provide signals from atemperature sensor. In being purposely configured IoT devices, the IoTdevices 104 can be configured to operate according to specificoperational parameters in accordance with input from a human orartificial agent. For example, an IoT device of the IoT devices 104 canbe a thermostat configured to control an air conditioner to cool a roomto a configurable temperature at a configurable time. As anotherexample, an agent can specify an IoT device should not communicate witha specific data source, and the IoT device can be configured to refrainfrom communicating with the specific data source as part of purposefulconfiguration.

In the example system 100 shown in FIG. 1 , the context-aware IoT deviceidentification system 106 is intended to represent a system thatunderstands domain-specific context and uses machine learning togenerate additional domain knowledge. A context of an IoT device, asused herein, includes IoT device profiles, IoT device categories,applicable operational parameters of an IoT device in operation, to namea few. For example, an IoT device can be profiled as a thermostat,categorized as a General Electric product, and a context of the IoTdevice can include an ID of the IoT device, sources (or paths) ofmessages to the IoT device, destinations (or paths) of messages from theIoT device, current operational parameters of the IoT device, e.g. howan IoT device operates in controlling itself, behaviors of an IoT devicein operation, whether an IoT device is actually operating, data portsused by an IoT device in sending and receiving data, types of data sentor received, operating systems used by an IoT device, applications usedby an IoT device, a hostname, finger print (e.g., Dynamic HostConfiguration Protocol (DHCP) finger print), user agent, a specificfield in a specific application header, MAC address (e.g.,organizational unique identifier (OUI)), communication between an IoTdevice and its controller located remotely, and so on. Further, acontext of an IoT device can include applicable operational parametersof an IoT device in operation to either or both access network servicesand broadcast. For example, a context of an IoT device can include amessage an IoT device broadcasts in acting as a beacon. In anotherexample, a context of an IoT device can include a data source with whichan IoT device communicates through a WAN.

In a specific implementation, at least a portion of the context-awareIoT device identification system 106 is implemented remote relative toIoT devices 104 for which the system determines labeling of the IoTdevices 104. For example, at least a portion of the context-aware IoTdevice identification system 106 can be implemented as cloud basedsystems. Portions of the context-aware IoT device identification system106 implemented remote relative to IoT devices 104 can receive dataassociated with the IoT devices 104 through virtual private network(hereinafter “VPN”) tunnels. For example, the context-aware IoT deviceidentification system 106 can receive outbound network traffic sent fromIoT devices 104 over a VPN tunnel. Additionally, VPN tunnels throughwhich the context-aware IoT device identification system 106 can sendand receive data can be maintained using dedicated networking equipment.For example, the context-aware IoT device identification system 106 canreceive data associated with the IoT devices 104 using dedicated routersfor communicating with the IoT devices 104.

Instead or in addition, at least a portion of the context-aware IoTdevice identification system 106 can be implemented through one or morelocal agents. A local agent includes software implemented on a physicaldevice locally coupled to IoT devices 104. Local coupling involvesoperationally connecting the local agent via a LAN interface (or asmaller network interface, such as a PAN interface) to IoT devices 104or listening to a mirror port of a switch operationally connected to theIoT device network. It should be noted that enterprise networks caninclude geographically distributed LANs coupled across WAN segments. Ina distributed enterprise network, the local agents may be local at eachLAN (each LAN is sometimes referred to as a Basic Service Set (BSS) inIEEE 802.11 parlance, though no explicit requirement is suggested here)or localized using, e.g., VLAN tunneling (the connected LANs aresometimes referred to as an Extended Service Set (ESS) in IEEE 802.11parlance, though no explicit requirement is suggested here). Dependingupon implementation-specific or other considerations, the context-awareIoT device identification system 106 can include wired communicationinterfaces and wireless communication interfaces for communicating overwired or wireless communication channels. The context-aware IoT deviceidentification system 106 can be, at least in part, a device provided byan Internet service provider directly purchased by a consumer and actingas a conduit between networks. Depending upon implementation or otherconsiderations, the context-aware IoT device identification system 106can be implemented as part of a private cloud. A private cloudimplementing the context-aware IoT device identification system 106, atleast in part, can be specific to an entity.

In a specific implementation, the IoT device identification system 106functions to perform grouping/labeling of IoT devices 104, based onevents. It may be noted that an IoT device 104 with a certainpersonality can be categorized into a certain group and an IoT device104 without the certain personality can be categorized in a differentgroup. As used in this paper, a personality includes mathematicallymodeled behavior patterns, with institutional knowledge built into thepersonality model.

In a specific implementation, the IoT device identification system 106can determine events based on messages transmitted by or to an IoTdevice 104. For example, the IoT device identification system 106 cantranslate one or a plurality data packets (e.g., header) transmitted byor to an IoT device 104 into events which can subsequently be used todetermine a grouping/labeling of the IoT device 104. As another example,the IoT device identification system 106 can correlate one or aplurality of data packets (e.g., header) transmitted by or to an IoTdevice 104 to an event of a specific application being executed on theIoT device 104. Events can be associated with a specific context of anIoT device 104, such as having a specific operating system executing onan IoT device 104 or being controlled by a specific user.

In a specific implementation, the IoT device identification system 106functions to determine events locally with respect to IoT devices 104.In determining events locally with respect to IoT devices 104, the IoTdevice identification system 106 can be implemented at a device within aLAN associated with or formed in part through the IoT device 104.Further, the IoT device identification system 106 can locally determineat a device within a LAN events for use in determining agrouping/labeling of an IoT device 104. For example, the IoT deviceidentification system 106 can be implemented at a local agent anddetermine at the local agent events for use in grouping/labeling IoTdevices 104.

In a specific implementation, the IoT device identification system 106identifies event parameters (data or metadata) by analyzing the datapackets. For example, if a data packet can be correlated with a specificapplication, then the IoT device identification system 106 can identifyan event parameter of the specific application is executed inassociation with an IoT device 104. The IoT device identification system106 can use packet header analysis to identify event parameters fromdata packets transmitted to or from an IoT device 104. Additionally, theIoT device identification system 106 can use deep packet inspection toidentify event parameters from data packets. For example, the IoT deviceidentification system 106 can use deep packet inspection to analyze apayload of a data packet sent from an IoT device 104 and subsequentlyidentify an event parameter from the data packet.

In a specific implementation, the IoT device identification system 106determines one or a combination of device sensor events, session events,application events, user events, protocol events, and status eventsincluded as part of a context of an IoT device in operation. Devicesensor events can include events that occur at the physical layer of thephysical layer or data link layer of the open system interconnection(hereinafter referred to as “OSI”) model. For example, device sensorevents can include a virtual LAN (hereinafter referred to as “VLAN”)used by an IoT device to communicate with a specific data source.Session events can include events that occur at either the network layeror the transport layer of the OSI model. For example, session events caninclude a specific network type used by an IoT device to communicatewith a source. Application events include events that occur at one or acombination of the session layer, the presentation layer, and theapplication layer of the OSI model. For example, application events caninclude an identification of an application executed at an IoT device inaccessing network services. Device events can include events that occurat a specific device. User events can include events that occur inassociated with a specific user interacting with an IoT device. Forexample, user events can include specific instances in which a specificuser interacts with IoT devices. Status events can include eventsassociated with whether an IoT device is operating. For example, statusevents can include an event indicating whether an IoT device isoperating within a given operational efficiency range.

In a specific implementation, the IoT device identification system 106functions to transform events into a format suitable forgrouping/labeling of IoT devices, by generating formatted events of IoTdevices 104 in operation. A formatted event is a transformation of oneor more timestamped events, including composite events. As used in thispaper, a composite event comprises multiple event parameters, but isreferred to as an “event,” which is a more general term intended torepresent a discrete event or a combination of event parameters (whichcan include one or more discrete events). For example, a discrete event,such as a signal transmitted from a thermometer associated with adiscrete temperature sensing instance, can be combined with eventparameters for the destination of the signal, historical signaltransmissions, transmissions of similarly classified IoT devices, andthe like, to generate a composite event. The context-aware IoT deviceidentification system 106 can generate formatted events of IoT devices104 in operation based on messages transmitted to or from IoT devices104. For example, the context-aware IoT device identification system 106can examine messages transmitted to an IoT device 104 to determine anevent which can subsequently be timestamped to create a formatted eventof the IoT device 104 in operation. The context-aware IoT deviceidentification system 106 can generate formatted events of IoT devicesin operation within a time window. For example, the context-aware IoTdevice identification system 106 can examine all messages transmittedfrom an IoT device 104 within a one hour period to determine a formattedevent of the IoT device 104 in operation. A time window, also referredto as a data rollup window, can be used by the context-aware IoT deviceidentification system 106 to generate formatted events of an IoT device104 in operation. For example, the context-aware IoT deviceidentification system 106 can examine packets transmitted from a firstIoT device over a 24 hour period and examine packets transmitted from asecond IoT device over a five minute period to extract features of thefirst and second IoT devices in operation. A time window used by thecontext-aware IoT device identification system 106 to extract featuresof IoT devices 104 in operation can vary based on contexts of the IoTdevices 104. For example, the context-aware IoT device identificationsystem 106 can vary time windows used to extract features of IoT devices104 in operation based on communication manner of the IoT devices 104.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to aggregate formatted events forpurposes of determining grouping/labeling of IoT devices 104. Thecontext-aware IoT device identification system 106 can aggregateformatted events based on context, such as by way of a profile-basedaggregation. For example, the context-aware IoT device identificationsystem 106 can aggregate formatted events based on recipients of datapackets transmitted from an IoT device 104. In another example, thecontext-aware IoT device identification system 106 can aggregateformatted events based on an IoT device ID or a port used transmit datapackets from which the formatted events are translated. Further, thecontext-aware IoT device identification system 106 can aggregateformatted events based on contexts associated with events. For example,the context-aware IoT device identification system 106 can aggregateformatted events based on whether the formatted events are one or acombination of device sensor events, session events, application events,user events, protocol events, and status events.

In a specific implementation, the context-aware IoT deviceidentification system 106 can aggregate formatted events of IoT devices104 in operation using common factor aggregation machine learning. Forexample, if, through machine learning, common factors of IoT devicesthat can be categorized in a certain group (e.g., thermostat) areidentified, then the context-aware IoT device identification system 106can group formatted events of IoT devices 104 based on the commonfactors identified through machine learning. The context-aware IoTdevice identification system 106 can use common factor aggregationmachine learning to identify common factors of contexts of IoT devices104 in operation, for use in aggregating formatted events based oncontext. For example, if formatted events related to operation of IoTdevices by a particular user share a specific common factor, identifiedthrough machine learning, then the context-aware IoT deviceidentification system 106 can group formatted events of the useroperating IoT devices together based on the specific common factor. CFAcan be used as an input, as well. The events aggregated based on contextcan be fed to a prediction engine to identify same type of IoT device ornew type of IoT device.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to drop specific determined featuresor formatted events from consideration in determining grouping/labelingof IoT devices 104. In dropping specific features from consideration indetermining grouping/labeling of IoT devices 104, the context-aware IoTdevice identification system 106 can filter out irrelevant factors toonly keep IoT compatible features for purposes of determininggrouping/labeling of IoT devices 104. For example, the context-aware

IoT device identification system 106 can filter out features associatedwith human factors in IoT device operation for purposes of determininggrouping/labeling of IoT devices 104.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to filter out features for use indetermining grouping/labeling of IoT devices 104 based on either or botha personality of an IoT device and a profile of a certain set of IoTdevices including the IoT device. A personality of an IoT deviceincludes applicable data describing operation of an IoT device forpurposes of determining grouping/labeling of the IoT devices 104. Forexample, a personality of an IoT device can include behavior patterns ofan IoT device. A profile of a set of IoT devices includes applicationdata describing operation of IoT devices in the set for purposes ofdetermining grouping/labeling of the IoT devices in operation. Forexample, a profile of a set of IoT devices can include behavior patternsof the IoT devices in the set. IoT devices can be tentatively groupedtogether to form a profile, based on one or a combination ofcharacteristics of the IoT devices, operational characteristics of theIoT devices, and contexts of the IoT devices in operation. For example,all IoT devices of a specific manufacturer of the same type can betentatively grouped together to form a category (or profile). Infiltering out features for use in determining grouping/labeling of theIoT devices based on either or both a personality of an IoT device and aprofile of a group of IoT devices, the context-aware IoT deviceidentification system 106 can filter out non-representative (e.g.,abnormal) operating behaviors of the IoT device of the set of IoTdevices using the personality of profile.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to add aggregated events andfeatures into an event buffer. An event buffer includes a collection ofevents and features that are held for a period of time and analyzed todetermine grouping/labeling of IoT devices 104. An event buffer can bespecific to a context associated with an IoT device in operation. Forexample, an event buffer can be associated with or specific to anapplication and can be used to determine grouping of IoT devices 104. Inanother example, an event buffer can be associated with IoT devices at aspecific location and can be used to determine grouping/labeling of IoTdevices 104. The context-aware IoT device identification system 106 canbuffer aggregated events and features into event buffers based oncontexts associated with aggregated events and features, e.g. contextsof an IoT device in operation. For example, the context-aware IoT deviceidentification system 106 can buffer aggregated events and features intoan event buffer based on whether the events are one or a combination ofdevice sensor events, session events, application events, user events,protocol events, and status events.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to determine grouping of IoT devicesin operation through application of a context-based IoT device groupingmodel to events and features of an IoT device operating. A context-basedIoT device grouping model includes applicable data describing parametersand weights thereof to perform grouping/labeling of IoT devices 104.Specifically, a context-based IoT device grouping model can include amodeled set of features indicating all or a portion of a behaviorpattern corresponding to one or more labeled or non-labeled groups. Forexample, a context-based IoT device grouping model can include acombination of behavior events indicated by a single modeled feature toform a behavior pattern. A context-based IoT device grouping model isspecific to a context of an IoT device. For example, a context-based IoTdevice grouping model can indicate characteristic behavior patterns ofan IoT device in interacting with a specific remote system. In applyinga context-based IoT device grouping model to determine grouping of IoTdevices in operation, the context-aware IoT device identification system106 can apply the model to compare current or past operating of an IoTdevice, e.g. indicated by aggregated events and features, with common orcharacteristic behavior patterns indicated by the model. Subsequently,by comparing the current or past operating of the IoT device with commonor characteristic behavior patterns, the context-aware IoT deviceidentification system 106 can determine grouping of IoT devices 104.

In a specific implementation, a context-based IoT device grouping modelis included as part of a personality of an IoT device or a profile of aset of IoT devices. For example, a context-based IoT device groupingmodel can include common or characteristic behavior patterns of a typeof IoT devices manufactured by the same manufacturer. In anotherexample, a context-based IoT device grouping model can include common orcharacteristic behavior patterns of a specific IoT device when astreaming music application is executed on the IoT device. In anotherexample, IoT devices can be grouped by type.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to generate a context-based IoTdevice grouping model through a machine learning process with respect toaggregated events and features in event buffers. Depending uponimplementation-specific or other considerations, the machine learningprocess employs one or more of machine learning algorithms, includingbut not limited to, tree ensemble based algorithm (e.g., Random Forest),a neural network based algorithm (e.g., feedforward neural network(FNN)), classification based algorithms (e.g., support vector machine(SVM), and boosting algorithms (e.g., eXtreme gradient boosting (XGB)).In a particular implementation, a boosting algorithm is preferablyemployed for the grouping of the IoT devices 104. A boosting algorithmhas features that can handle abnormal distribution of data (which can betypical in parameters of a large number of IoT devices of varioustypes), can handle high dimensional data represented by a large numberof parameters, can ignore correlation of parameters by assigning a lowerweight to correlated parameters, and can return a top relevant featurethat can be used for grouping of the IoT devices. A neural network basedalgorithm may also have features that can handle abnormal distributionof data, can handle high dimensional data represented by a large numberof parameters, and can ignore correlation of parameters by assigning alower weight to correlated parameters.

In a specific implementation, the context-aware IoT deviceidentification system 106 performs personality classification for IoTdevices for the grouping/labeling through application of a plurality ofcontext-based IoT device grouping models to events and features of IoTdevice operation. A behavior pattern of an IoT device can be representedby a plurality of context-based IoT device grouping models. Accordingly,the context-aware IoT device identification system 106 can apply theplurality of context-based IoT device grouping models to aggregatedevents and features of IoT devices 104 to determine IoT devicepersonality. For example, if a first context-based IoT device groupingmodel indicates a first aspect of a behavior pattern of an IoT deviceand a second context-based IoT device grouping model indicates a secondaspect of the behavior pattern of the IoT device, then the context-awareIoT device identification system 106 can apply both the first and secondmodels to classify the IoT device as having a certain characteristicpersonality.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to apply a context-based IoT devicegrouping model to aggregated events and features of an IoT devicecollected in event buffers in IoT device personality classification.Advantageously, aggregation based on known labels, remote IP,application, server port, or other factors can be on a granular level.For example, the context-aware IoT device identification system 106 canapply a context-based IoT device grouping model to aggregated events andfeatures in a buffer, in an order of the events and features in thebuffer. The context-aware IoT device identification system 106 can applyspecific context-based IoT device grouping models to events and featuresbased on a specific event buffer in which the events and features arecollected. For example, if aggregated events are in an event bufferassociated with applications executing on an IoT device, then thecontext-aware IoT device identification system 106 can applycontext-based IoT device grouping models for IoT device personalityclassification when applications are executed at the IoT device. Inanother example, if aggregated events are in an event buffer associatedwith session events, then the context-aware IoT device identificationsystem 106 can apply context-based IoT device grouping models for IoTdevice personality classification at a network layer level.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to apply a context-based IoT devicegrouping model to aggregated events and features based on a context ofan IoT device in operating to generate the events. For example, thecontext-aware IoT device identification system 106 can apply acontext-based IoT device grouping model to aggregated events based on aport used in communicating data packets used to determine the events. Inapplying a context-based IoT device grouping model to aggregated eventsbased on a context of an IoT device, the context-aware IoT deviceidentification system 106 can apply a context-based IoT device groupingmodel based on an event buffer in which the events are buffered. Forexample, the context-aware IoT device identification system 106 canapply a context-based IoT device grouping model for analyzing deviceevents to events buffered into an event buffer associated with eventsthat occurred at a specific device layer.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to carry out an assistedgrouping/labeling based on offline external inputs, for example, fromusers or administrators. Depending upon implementation-specific or otherconsiderations, the context-aware IoT device identification system 106functions to carry out an assisted grouping/labeling, when grouping ofan IoT device based on application of a context-based IoT devicegrouping model is unsuitable or unsuccessful (in error), e.g., when anIoT device cannot be categorized into any group of known IoT devicesand/or when labeling of IoT devices, although can be categorized into agroup, cannot be determined. Depending upon implementation-specific orother considerations, when grouping of an IoT device based onapplication of a context-based IoT device grouping model is unsuccessful(in error), the context-aware IoT device identification system 106generates a request for grouping and/or labeling of IoT devices based oninput by users, administrators, vendors, and/or expert knowledge. In aspecific implementation, the context-aware IoT device identificationsystem 106 allows for setting conditions to trigger error (or success)in the grouping/labeling of the IoT devices based on inputs from users,administrators, vendors, and/or expert knowledge.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to carry out prediction ofgrouping/labeling of a new IoT device by applying one or morecontext-based IoT device grouping models to events or features of thenew IoT device and generates a predicted grouping/labeling of the newIoT device. Depending upon implementation-specific or otherconsiderations, with respect to one or more groups organized frompre-existing IoT devices, the context-aware IoT device identificationsystem 106 determines probability that the new IoT device is categorizedin the group, and determines a group with the highest probability as agroup in which the new IoT device is categorize. Depending uponimplementation-specific or other considerations, the context-aware IoTdevice identification system 106 determines the group for the new IoTdevice, on the condition that the highest probability is over a certainthreshold. When the highest probability is lower than the certainthreshold, the context-aware IoT device identification system 106 maydetermine that no group matches the new IoT device, i.e.,grouping/labeling of the new IoT device into a group is unsuccessful (inerror). Depending upon implementation-specific or other considerations,when the grouping/labeling of the new IoT device is unsuccessful, thecontext-aware IoT device identification system 106 may carry out theabove-described assisted grouping/labeling. Alternatively, if byapplying one model, no grouping is identified, the context-aware IoTdevice identification system 106 applies a second model, and potentiallyadditional models after the second until all applicable models have beenattempted, only then an error is generated which requires assistedgrouping.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to maintain context-based IoT devicegrouping models for use in determining grouping of IoT devices inoperation. In maintaining a context-based IoT device grouping model foruse in determining grouping of IoT devices in operation, thecontext-aware IoT device identification system 106 can create and updatea context-based IoT device grouping model. For example, thecontext-aware IoT device identification system 106 can update acontext-based IoT device grouping model as IoT devices continue tooperate and/or as new IoT devices are added. The context-aware IoTdevice identification system 106 can maintain a context-based IoT devicegrouping model based on operation of IoT devices within a specific datawindow. For example, the context-aware IoT device identification system106 can maintain a context-based IoT device grouping model offline dailybased on IoT device operation during the day.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to maintain a context-based IoTdevice grouping model based on events determined based on operation ofone or a plurality of IoT devices. For example, the context-aware IoTdevice identification system 106 can maintain a context-based IoT devicegrouping model based on feature values of events occurring duringoperation of an IoT device. Additionally, the context-aware IoT deviceidentification system 106 can maintain a context-based IoT devicegrouping model based on aggregated events occurring during operation ofone or a plurality of IoT devices. For example, the context-aware IoTdevice identification system 106 can update a context-based IoT devicegrouping model based on feature values of events during operation of oneor a plurality of IoT devices. Further in the example, the context-awareIoT device identification system 106 can maintain the context-based IoTdevice grouping model based on the feature values of the eventsaggregated together using common factor aggregation based on contexts ofthe one or a plurality of the IoT devices in operation.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to determine behavior patterns of anIoT device in operation for use in maintaining a context-based IoTdevice grouping model. The context-aware IoT device identificationsystem 106 can determine behavior patterns of an IoT device in operationbased on aggregated events of the IoT device in operation. For example,if an IoT device exchanges data with a remote controller or destinationevery night, as indicated by aggregated events of the IoT device inoperation, then the context-aware IoT device identification system 106can determine a behavior pattern of the IoT device is exchanges datawith the remote controller or destination at night. The context-awareIoT device identification system 106 can use an applicable machinelearning mechanism to determine a behavior pattern of an IoT device inoperation.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to maintain a context-based IoTdevice grouping model based on contexts of one or a plurality of IoTdevices in operation. Specifically, the context-aware IoT deviceidentification system 106 can maintain a context-based IoT devicegrouping model based on a context of an IoT device in operating togenerate aggregated events used to maintain the model. For example, ifaggregated events of the IoT device in operation are created when aspecific application is executing, then the context-aware IoT deviceidentification system 106 can associate a context-based IoT devicegrouping model generated using the events with the specific application.Further in the example, the context-based IoT device grouping model canbe applied by the context-aware IoT device identification system 106 toaggregated events generated when the specific application is executingat the IoT device to determine grouping of IoT devices in operation.

In a specific implementation, the context-aware IoT deviceidentification system 106 functions to maintain a context-based IoTdevice grouping model as part of either or both a personality of an IoTdevice and a profile group of IoT devices. For example, thecontext-aware IoT device identification system 106 can maintain acontext-based IoT device grouping model based on operation of an IoTdevice and subsequently include the context-based IoT device groupingmodel as part of a personality of the IoT device. In maintaining acontext-based IoT device grouping model as part of a profile group ofIoT devices, the context-aware IoT device identification system 106 cangroup together the IoT devices based on context of the IoT devices inoperation. For example, the context-aware IoT device identificationsystem 106 can group together IoT devices of a specific type, e.g. acontext, into a profile group and subsequently add context-based IoTdevice grouping models generated based on operation of the IoT devicesinto the profile group of the IoT devices.

In an example of operation of the example system shown in FIG. 1 , theIoT device identification system 106 identifies events of the IoTdevices 104 in operation. In the example of operation of the examplesystem shown in FIG. 1 , the IoT device identification system 106aggregates the events based on contexts of the IoT devices 104 inoperation. Further, in the example of operation of the example systemshown in FIG. 1 , the IoT device identification system 106 buffers theaggregated events into an event buffer based on the contexts of the IoTdevices 104 in operation.

In the example of operation of the example system shown in FIG. 1 , theIoT device identification system 106 determine behaviors of an IoTdevice of the IoT devices 104 in operation based on the aggregatedevents in the event buffer. Additionally, in the example of operation ofthe example system shown in FIG. 1 , the IoT device identificationsystem 106 generates a context-based IoT device grouping model based onthe aggregated events in the event buffer and the determined behaviorsof the IoT devices. Further, in the example of operation of the examplesystem shown in FIG. 1 , the IoT device identification system 106applies the context-based IoT device grouping model to the aggregatedevents and the determined behaviors of the IoT devices to determinegrouping/labeling of the IoT devices. Moreover, in the example ofoperation of the example system shown in FIG. 1 , the IoT deviceidentification system 106 carries out assisted grouping/labeling of theIoT devices when the grouping/labeling based on the application of thecontext-based IoT device grouping model is unsuccessful. Furthermore, inthe example of operation of the example system shown in FIG. 1 , the IoTdevice identification system 106 applies the context-based IoT devicegrouping model to new IoT devices that have not been subjected togrouping/labeling to carry out grouping/labeling of the new IoT devicesand optionally carries out assisted grouping/labeling with respect tothe new IoT devices, if necessary. In the example of operation of theexample system shown in FIG. 1 , the IoT device identification system106 maintains the context-based IoT device grouping model aspre-existing IoT devices operate and new IoT devices are added.

FIG. 2 depicts a flowchart 200 of an example of a method forgrouping/labeling IoT devices in operation. The flowchart 200 begins atmodule 202, where events of an IoT device in operation are identified.An applicable system for grouping IoT devices in operation based oncontext, such as the context aware IoT device identification systemsdescribed in this paper, can identify events of IoT devices inoperation. Events of IoT devices in operation can be identified based onoperation of IoT devices. For example, if an IoT device reports anincrease in temperature in a room by five degrees, then eventsindicating the IoT device has indicated the temperature increased byfive degrees can be identified. Additionally, events of an IoT device inoperation can be identified based on messages transmitted to or from theIoT device. For example, an application executing at an IoT device canbe determined by analyzing data packets transmitted to and from the IoTdevice during execution of the application at the IoT device.

The flowchart 200 continues to module 204, where a context of the IoTdevices in operation to generate the events is identified. An applicablesystem for grouping IoT devices in operation based on context, such asthe context aware IoT device identification systems described in thispaper, can identify a context of the IoT device in operation to generatethe events. For example, a communication protocol of the IoT device canbe determined including a context of the IoT device. A context of theIoT device in operation can be identified based on a flow of data to andfrom the IoT device. For example, deep packet inspection can beperformed on messages transmitted to and from the IoT device to identifya context of the IoT device in operation.

The flowchart 200 continues to module 206, where events of the IoTdevices in operation are transformed into format suitable forgrouping/labeling of IoT devices. An applicable system for transformingformat of events, such as the context aware IoT device identificationsystems described in this paper, can transform the format of events intoa suitable format for grouping/labeling of IoT devices.

The flowchart 200 continues to module 208, where the events areaggregated based on the context of the IoT device to form aggregatedevents of the IoT device. An applicable system for grouping IoT devicesin operation based on context, such as the context aware IoT deviceidentification systems described in this paper, can aggregate the eventsbased on the context of the IoT device to form aggregated events. Theevents can be aggregated to form aggregated events according to anapplicable machine learning method. Common factor aggregation is a wayto apply various different machine learning and deep learning algorithmsby focusing on common factors (like all devices of same profile, sameOS, using Windows, using telnet, all devices talking to a specificsubnet, to name several) as applied to both detected and modeledbehavior. For example, session events can be aggregate together. Inanother example, streaming events can be aggregated together usingtime-window-based aggregation (e.g., within a limited range). The eventscan be aggregated locally with respect to the IoT device. For example,the events can be aggregated to form the aggregated events by a deviceimplemented as part of a LAN with the IoT device.

The flowchart 200 continues to module 210, where grouping/labeling ofthe IoT devices is carried out. If grouping/labeling based on acontext-based IoT device grouping model is suitable, e.g., when the datasamples are sufficiently large (e.g., aggregated events greater than athreshold), the flowchart 200 proceeds to module 212, where acontext-based IoT device grouping model is generated. An applicablesystem for generating a context-based IoT device grouping model based oncontext, such as the context aware IoT device identification systemsdescribed in this paper, can generate the context-based IoT devicegrouping model based on the context of the IoT devices.

The flowchart 200 continues to module 214, where a context-based IoTdevice grouping model is applied to the aggregated events according tothe event buffer to determine grouping of the IoT devices in operation.An applicable system for grouping the IoT devices in operation based oncontext, such as the context aware IoT device identification systemsdescribed in this paper, can apply a context-based IoT device groupingmodel to the aggregated events according to the event buffer todetermine grouping of the IoT devices in operation. For example, abehavior pattern of the IoT device can be determined from the aggregatedevents and the context-based IoT device grouping model can be applied tothe determined behavior pattern to determine grouping of the IoT devicesin operation. Further in the example, the determined behavior pattern ofthe IoT device can be compared to common or characteristic behaviorpatterns of the IoT devices in one or more groups based on thecontext-based IoT device grouping model, to determine grouping/labelingof the IoT devices. A context-based IoT device grouping model applied todetermine grouping/labeling of the IoT devices in operation can beincluded as part of either or both a personality of the IoT device and aprofile of a group of IoT devices associated with the IoT device. Forexample, a context-based IoT device grouping model can be included aspart of a profile of a group of IoT devices including the IoT devicethat are all of the same device type.

The flowchart 200 continues to a decision block 216, where whether ornot the grouping/labeling based on the context-based IoT device groupingmodel is successful is determined. An applicable system for grouping theIoT devices in operation based on context, such as the context aware IoTdevice identification systems described in this paper, can determinewhether or not the grouping/labeling based on the context-based IoTdevice grouping model is successful. For example, when an IoT devicecannot be categorized into any group of IoT devices and/or when labelingof IoT devices, although can be categorized into a group, cannot bedetermined, the grouping/labeling based on the context-based IoT devicegrouping model can be determined as unsuccessful.

If grouping/labeling based on a context-based IoT device grouping modelis not suitable, e.g., when the data sample is too small (e.g.,aggregated events smaller than a threshold) in the module 210, and ifthe grouping/labeling based on the context-based IoT device groupingmodel is determined to be unsuccessful in the decision block 216 (No indecision block 216), the flowchart 200 proceeds to module 218, whereassisted grouping/labeling of the IoT devices is carried out. Anapplicable system for carrying out the assisted grouping/labeling of theIoT devices, such as the context aware IoT device identification systemsdescribed in this paper, can carry out the assisted grouping/labeling ofthe IoT devices based on the offline external inputs.

If the grouping/labeling based on the context-based IoT device groupingmodel is determined to be successful in the decision block 216 (Yes indecision block 216), the flowchart 200 proceeds to module 220, wherewhether or not a new IoT device is added is determined. An applicablesystem for determining whether a new IoT device is added, such as thecontext aware IoT device identification systems described in this paper,can determine whether or not a new IoT device is added. If a new IoTdevice is determined to be added (Yes in decision block 220), theflowchart 200 returns to the module 214, and if a new IoT device is notdetermined to be added (No in decision block 220), the flowchart 200ends.

FIG. 3 depicts a diagram 300 of an example context aware IoT eventaggregation system 302. The context aware IoT event aggregation system302 is intended to represent a system that functions to aggregate eventsof an IoT device in operation for purposes of grouping IoT devices inoperation.

In a specific implementation, the context aware IoT event aggregationsystem 302 generates event parameters from data packets while refrainingfrom storing the data packets. Specifically, the context aware IoT eventaggregation system 302 can generate event metadata from data packetstransmitted to and from an IoT device, without locally storing theactual data packets in non-volatile storage. The context aware IoT eventaggregation system 302 can be included as part of an applicable systemfor identifying (or grouping) IoT devices in operation based on context,such as the context aware IoT device identification systems described inthis paper. Additionally, the context aware IoT event aggregation system302 can be implemented locally with respect to one or a plurality of IoTdevices. For example, the context aware IoT event aggregation system 302can be implemented as a local device forming part of a LAN at a home ofa plurality of IoT devices. Further in the example, the context awareIoT event aggregation system 302 can be implemented at a local deviceconfigured to provide the IoT devices access to network services throughthe LAN.

In aggregating events for purposes of grouping/labeling IoT devices inoperation, the context aware IoT event aggregation system 302 functionsto determine events represented by event metadata for purposes ofaggregating the events together. Further, the context aware IoT eventaggregation system 302 can determine a context of an IoT device inoperation for purposes of aggregating events together. For example, thecontext aware IoT event aggregation system 302 can determine a remotesystem an IoT device is communicating with and subsequently aggregateevents associated with communications with the remote system forpurposes of grouping/labeling IoT devices in operation. Additionally,the context aware IoT event aggregation system 302 can provide eventmetadata of aggregated events to a remote system for purposes ofgrouping/labeling IoT devices in operation at the remote system.

The example context aware IoT event aggregation system 302 shown in FIG.3 includes an IoT context determination engine 304, an eventdetermination engine 306, an event aggregation rules datastore 308, aself-correcting identity-based event aggregation engine 310, and anaggregated event transmission engine 312. In a specific implementation,the IoT context determination engine 304, the event determination engine306, the event aggregation rules datastore 308, the self-correctingidentity-based event aggregation engine 310, and the aggregated eventtransmission engine 312 are coupled with each other. The IoT devicecontext determination engine 304 is intended to represent an engine thatfunctions to determine a context of an IoT device in operation forpurposes of grouping/labeling IoT devices in operation. The IoT devicecontext determination engine 304 can determine a context of an IoTdevice in operation based on determined events in the operation of theIoT device. For example, the IoT device context determination engine 304can determine that an IoT device is communicating with another IoTdevice in operation. In determining a context of an IoT device based ondetermined events in the operation of the IoT device, the IoT devicecontext determination engine 304 can determine a context of an IoTdevice with respect to the events. For example, the IoT device contextdetermination engine 304 can determine a context of an IoT device at atime when it was operating to cause specific events to occur at the IoTdevice. The IoT device context determination engine 304 can be based oninput received from a user. For example, a user can register a device asa thermostat manufactured by a specific manufacturer.

The event determination engine 306 is intended to represent an enginethat functions to determine events in operation of an IoT device forpurposes of grouping/labeling IoT devices in operation. For example, theevent determination engine 306 can determine that a specific user isoperating or otherwise interacting with an IoT device for purposes ofgrouping/labeling IoT devices in operation. In determining events inoperation of an IoT device, the event determination engine 306 candetermine how the IoT device is actually operating. For example, theevent determination engine 306 can determine that lights in an officeshut themselves off at a specific time. In determining events inoperation of an IoT device, the event determination engine 306 cangenerate event metadata indicating the determined events. For example,the event determination engine 306 can generate event metadataindicating streaming events occurring at an IoT device.

In a specific implementation, the event determination engine 306functions to determine events in operation of an IoT device by analyzingmessages transmitted either or both to and from the IoT device. Theevent determination engine 306 can use an applicable packet inspectionmechanism to analyze messages transmitted to and from an IoT device forpurposes of determining events in operation of the IoT device.Specifically, the event determination engine 306 can analyze data packetheaders to determine events in operation of an IoT device. For example,the event determination engine 306 can analyze headers of data packetstransmitted to and from an IoT device to determine another IoT devicecommunicating with the IoT device. Additionally, the event determinationengine 306 can perform deep packets inspection on data packetstransmitted to and from an IoT device to determine events in operationof the IoT device. For example, the event determination engine 306 canperform deep packet inspection to determine session events of an IoTdevice in operation. Further, in a specific implementation, the eventdetermination engine 306 functions to transform events into formatsuitable for grouping/labeling of IoT devices, by generating formattedevents of IoT devices 104 in operation.

The event aggregation rules datastore 308 is intended to represent adatastore that functions to store event aggregation rules data. Eventaggregation rules data stored in the event aggregation rules datastore308 includes data identifying applicable rules for aggregating events inthe operation of IoT devices for use in grouping IoT devices inoperation. Event aggregation rules can be specific to contexts of IoTdevices. For example, event aggregation rules can specify to aggregatestreaming events occurring in the operation of an IoT device together.Further, event aggregation rules can specify common factors to use inaggregating events together. For example, event aggregation rules canspecify to aggregate events of an IoT device communicating with aspecific remote system, as indicated by a common factor. Eventaggregation rules can be specific to a context of an IoT device inoperation. For example, event aggregation rules can specify to aggregateall streaming events occurring at an IoT device together.

In a specific implementation, event aggregation rules indicated by eventaggregation rules data stored in the event aggregation rules datastore308 changes over time. Specifically, event aggregation rules can changeover time based on observed behaviors of an IoT device in operation. Forexample, if an IoT device continues to operate according to specificprocess protocols, then event aggregation rules can specify aggregatingevents associated with IoT devices operating according to the specificprocess protocols. Additionally, event aggregation rules can change overtime based on successful grouping/labeling of IoT devices in operation.For example, if streaming events aggregated together lead to betterresults in predicting groups of IoT devices in operation, as determinedthrough machine learning, then event aggregation rules can specifyaggregating streaming events together. Further, event aggregation rulescan be created and modified based on user input. For example, a user canspecify to aggregate network layer events together for a specific typeof IoT device, and event aggregation rules can subsequently be createdand modified to indicate aggregating network layer events together forthe specific type of IoT device.

The self-correcting identity-based event aggregation engine 310 isintended to represent an engine that functions to aggregate eventstogether for purposes of grouping/labeling IoT devices in operation. Inaggregating events together, the self-correcting identity-based eventaggregation engine 310 can aggregate event metadata for aggregatedevents. For example, the self-correcting identity-based eventaggregation engine 310 can aggregate event metadata of IoT device eventsoccurring in the operation of an IoT device. The self-correctingidentity-based event aggregation engine 310 can aggregate events usingcommon factor aggregation. Specifically, the self-correctingidentity-based event aggregation engine 310 can identify common factorsamongst events and subsequently aggregate the events together based onshared common factors. For example, the self-correcting identity-basedevent aggregation engine 310 can identify common factors amongst devicesensor events and subsequently group together the device sensor eventsbased on the shared common factors. Self-correction is possible becausethe event aggregation automatically adapts to match the environment.Identity-based is possible because all of the various events areassociated with an IoT device identity.

In a specific implementation, the self-correcting identity-based eventaggregation engine 310 functions to aggregate events based on contextsof an IoT device in operation. More specifically, the self-correctingidentity-based event aggregation engine 310 can aggregated events basedon contexts of an IoT device associated with the events. For example, ifa specific device was controlling operation of an IoT device when an IoTdevice was operating to cause the occurrence of specific events, thenthe self-correcting identity-based event aggregation engine 310 canaggregate the specific events together based on the fact they occurredwhen the specific device was operating the IoT device. In anotherexample, if specific events occurred when an IoT device wascommunicating with a specific remote system, then the self-correctingidentity-based event aggregation engine 310 can aggregate the specificevents together based on the fact they occurred when the IoT device wascommunicating with the specific remote system.

In a specific implementation, the self-correcting identity-based eventaggregation engine 310 can aggregate events according to eventaggregation rules. For example, if event aggregation rules specifyaggregating all session events of an IoT device in operation, then theself-correcting identity-based event aggregation engine 310 canaggregate all session events of the IoT device. In another example, ifevent aggregation rules specify aggregating events based on one or acombination of a device ID, application, and an IP address, then theself-correcting identity-based event aggregation engine 310 canaggregate events based on one or a combination of the device ID, theport number, and the IP address.

In a specific implementation, the self-correcting identity-based eventaggregation engine 310 functions to aggregate events within a timewindow, otherwise referred to as a data rollup window. For example, theself-correcting identity-based event aggregation engine 310 canaggregate events over a 24 hour time period. In another example, theself-correcting identity-based event aggregation engine 310 canaggregate events over a week long time period. In aggregating eventsover a longer time period, e.g. a day or a week, grouping/labeling ofIoT devices that are normally inactive can still be performed. A datarollup window in which the self-correcting identity-based eventaggregation engine 310 aggregates events can vary. For example, a datarollup window can vary on a per-device, per-application, and aper-device type basis. Additionally, a data rollup window in which theself-correcting identity-based event aggregation engine 310 aggregatedevents can vary based on a context of an IoT device in operation. Forexample, a data rollup window in which the self-correctingidentity-based event aggregation engine 310 aggregated events candecrease in size as an IoT device becomes more active.

In a specific implementation, the self-correcting identity-based eventaggregation engine 310 aggregates events within a short data rollupwindow. A short data rollup window is a time window between one and fiveminutes. In aggregating events over a short data rollup window, theself-correcting identity-based event aggregation engine 310 canaggregate events from port scans that occur every minute. Further, inaggregating events over a short data rollup window, heartbeats can beobserved as they persistently appear in the events aggregated by theself-correcting identity-based event aggregation engine 310 in the shortdata rollup window. Devices that communicate with a remote controllerdaily or persistent DDOS attacks can be observed as they persistentlyappear in the events aggregated by the self-correcting identity-basedevent aggregation engine 310 in a long data rollup window.

In a specific implementation, the self-correcting identity-based eventaggregation engine 310 functions to filter out events for purposes ofgrouping/labeling IoT devices in operation. In filtering out events forpurposes of grouping/labeling IoT devices in operation, theself-correcting identity-based event aggregation engine 310 can filterout irrelevant features to grouping/labeling IoT devices in operation.For example, the self-correcting identity-based event aggregation engine310 can filter out features associated with human factors in IoT deviceoperation for purposes of grouping/labeling IoT devices in operation. Asanother example, the self-correcting identity-based event aggregationengine 310 can filter out features that would cause model instability(e.g., features that give mixed signals or random noise).

The aggregated event transmission engine 312 is intended to represent anengine that functions to transmit aggregated events to a remote systemfor purposes of grouping/labeling IoT devices in operation. Theaggregated event transmission engine 312 can transmit event metadata ofaggregated events to a remote system for purposes of grouping/labelingIoT devices in operation. For example, the aggregated event transmissionengine 312 can transmit event metadata of aggregated session eventsoccurring at an IoT device for purposes of grouping/labeling IoT devicesin operation. The aggregated event transmission engine 312 can transmitaggregated events to a remotely implemented portion of an applicablesystem for grouping/labeling IoT devices in operation based on context,such as the context aware IoT device identification systems described inthis paper. The aggregated event transmission engine 312 can transmitaggregated events to a remote system implemented in the cloud.

In an example of operation of the example context aware IoT eventaggregation system 302 shown in FIG. 3 , the IoT device contextdetermination engine 304 determines a context of an IoT device inoperation. In the example of operation of the example system shown inFIG. 3 , the event determination engine 306 determines events occurringat the IoT device during the operation of the IoT device. Further, inthe example system shown in FIG. 3 , the event aggregation rulesdatastore 308 stores event aggregation rules data indicating eventaggregation rules for controlling aggregation of events occurring at anIoT device. In the example system shown in FIG. 3 , the self-correctingidentity-based event aggregation engine 310 aggregates the eventsdetermined by the event determination engine 306 according to the eventaggregation rules based on the context of the IoT device in operation,as determined by the IoT device context determination engine 304.Additionally, in the example of operation of the example system shown inFIG. 3 , the aggregated event transmission engine 312 transmits eventmetadata of the aggregated events to a remote system for use ingrouping/labeling IoT devices in operation.

FIG. 4 depicts a flowchart 400 of an example of a method for aggregatingevents occurring at IoT devices based on context for purposes ofgrouping/labeling IoT devices in operation. The flowchart 400 begins atmodule 402, where events occurring during operation of the IoT devicewithin a data rollup window are determined. An applicable engine foridentifying events occurring during operation of an IoT device, such asthe event determination engines described in this paper, can identifyevents occurring during operation of the IoT device within a data rollupwindow. Events occurring during operation of the IoT device can beidentified using applicable mechanism. For example, data packetstransmitted to and from the IoT device during operation of the IoTdevice can be analyzed to identify events occurring during operation ofthe IoT device. In identifying events occurring during operation of theIoT device, event metadata can be created indicating the identifiedevents.

The flowchart 400 continues to module 404, where a context of IoTdevices in operation is identified. An applicable engine for identifyinga context of IoT devices in operation, such as the IoT device contextdetermination engines described in this paper, can determine a contextof IoT devices in operation. A context of an IoT device can bedetermined based on identified events occurring at the IoT device duringoperation. For example, an identification of an IoT device can bedetermined from data packets transmitted to and from the IoT device.Additionally, a context of an IoT device can be determined based oninput received from a user. For example, a user can register a device asa thermostat or CT scanner manufactured by a specific manufacturer.

The flowchart 400 continues to module 406, where events of the IoTdevices in operation are transformed into format suitable forgrouping/labeling of IoT devices. An applicable system for transformingformat of events, such as the event determination engines described inthis paper, can transform the format of events into a suitable formatfor grouping/labeling of IoT devices.

The flowchart 400 continues to module 408, where the events areaggregated within the data rollup window based on the context of the IoTdevice in operation to form aggregated events. An applicable engine foraggregating events based on context, such as the context aware eventaggregation engines described in this paper, can aggregate the eventswithin the data rollup window based on the context of the IoT device toform aggregated events. For example, session events occurring at the IoTdevice can be aggregated together based on the context of the IoTdevice. In aggregating events, event metadata of the events can begrouped together to indicate the aggregated events.

The flowchart 400 continues to module 410, where event metadata of theaggregated events is transmitted to a remote system for purposes ofgrouping/labeling IoT devices. An applicable engine for transmittingevent metadata of aggregated events, such as the aggregated eventtransmission engines described in this paper, can transmit eventmetadata of the aggregated events to a remote system for purposes ofgrouping IoT devices in operation. For example, event metadata of theaggregated events can be transmitted to a remote portion of anapplicable system for grouping/labeling IoT devices in operation basedon context, such as the context aware IoT device identification systemsdescribed in this paper.

FIG. 5 depicts a diagram 500 of an example context-based IoT devicegrouping system 502. The context-based IoT device grouping system 502 isintended to represent a system that functions to perform grouping of IoTdevices in operation based on a context of the IoT devices in operation.The context-based IoT device grouping system 502 can be included as partof an applicable system for identifying IoT devices in operation basedon context, such as the context aware IoT device identification systemsdescribed in this paper. Additionally, the context-based IoT devicegrouping system 502 can be implemented remote from an IoT device. Forexample, the context-based IoT device grouping system 502 can beimplemented in the cloud remote from an IoT device for which thecontext-based IoT device grouping system 502 performs grouping/labelingof IoT devices in operation.

The context-based IoT device grouping system 502 functions to receiveevent metadata of aggregated events occurring during operation of an IoTdevice for purposes of grouping/labeling IoT devices in operation. Forexample, the context-based IoT device grouping system 502 can receiveevent metadata of aggregated protocol events of an IoT device inoperation from an applicable system for aggregating events such as thecontext aware IoT device aggregation systems described in this paper.Additionally, the context-based IoT device grouping system 502 cancollect aggregated events into event buffers based on a context of anIoT device in operation. For example, the context-based IoT devicegrouping system 502 can collect event data of aggregated eventsincluding device sensor events into an event buffer specific toprocessing device sensor events. Further, the context-based IoT devicegrouping system 502 can apply a context-based IoT device grouping modelto events in an event buffer for purposes of grouping IoT devices inoperation. For example, the context-based IoT device grouping system 502can determine a current behavior pattern of an IoT device fromaggregated events in an event buffer. Further in the example, thecontext-based IoT device grouping system 502 can compare currentbehaviors to a common or characteristic behavior pattern of one or moregroups formed based on application of the context-based undesiredbehavior detection model.

The example context-based IoT device grouping system 502 shown in FIG. 5includes an IoT device context determination engine 504, an eventcollecting engine 506, event buffer 508-1 to event buffer 508-n(hereinafter referred to as “event buffers 508”), an IoT device behavioridentification engine 510, an IoT device grouping model generationengine 512, a context-based IoT device grouping model datastore 514, anIoT device grouping model application engine 516, and an IoT devicegrouping/labeling result reporting engine 518. In a specificimplementation, the IoT device context determination engine 504, theevent collecting engine 506, the event buffers 508, the IoT devicebehavior identification engine 510, the IoT device grouping modelgeneration engine 512, the context-based IoT device grouping modeldatastore 514, the IoT device grouping model application engine 516, andthe IoT device grouping result reporting engine 518 are interconnectedwith each other.

The IoT device context determination engine 504 is intended to representan engine that functions to determine contexts of an IoT device, such asthe IoT device context determination engines described in this paper.The IoT device context determination engine 504 can determine a contextof an IoT device based on events occurring in the operation of the IoTdevice. For example, if an IoT device is experiencing a number ofstreaming events, then the IoT device context determination engine 504can determine a streaming application is executing at the IoT device.Additionally, the IoT device context determination engine 504 candetermine a context of an IoT device based on received user input. Forexample, a technician can register a medical device as an X-ray scannermanufactured by a specific manufacturer and the IoT device contextdetermination engine 504 can determine the context of the device is anX-ray scanner manufactured by the specific manufacturer.

The event collecting engine 506 is intended to represent an engine thatfunctions to collect aggregated events into event buffers 508 forpurposes of grouping IoT devices in operation. In collecting aggregatedevents into event buffers 508, the event collecting engine 506 can addevent metadata of the aggregated events into a specific event buffer508. For example, the event collecting engine 506 can collect aggregatedprotocol events of an IoT device into an event buffer 508 by addingevent metadata indicating the aggregated protocol events into the eventbuffer 508. In collecting aggregated events, the event collecting engine506 can receive event metadata of aggregated events.

In a specific implementation, the event collecting engine 506 functionsto collect aggregated events into an event buffer based on a context ofan IoT device when the aggregated events occurred. For example, if athermostat can measure and report the temperature in a room, then theevent collecting engine 506 can collect events of a heater in operationto raise the temperature into an event buffer specific to devicesmeasuring and/or controlling temperature. Further, the event collectingengine 506 can collect aggregated events into an event buffer based onwhether the events are one or a combination of device sensor events,session events, application events, user events, protocol events, andstatus events. For example, if aggregated events are application events,then the event collecting engine 506 can collect the aggregated eventsinto an event buffer specific to processing application events forpurposes of grouping/labeling IoT devices in operation. Aggregation canbe accomplished via time rollup window aggregation, time factoraggregation, or the like.

The event buffers 508 are intended to represent buffers used inprocessing events for purposes of grouping/labeling IoT devices inoperation. The event buffers 508 can each be specific to a differentcontext of an IoT device. For example, a first event buffer can bespecific to IoT devices of a specific type. Additionally, the eventbuffers 508 can be specific to one or a combination of device sensorevents, session events, application events, user events, protocolevents, and status events. For example, a first event buffer can be usedin processing streaming events while a second event buffer can be usedin processing application events for purposes of grouping IoT devices inoperation. The event buffers 508 can be configured to form a pipeline ofevent buffers. For example, a first event buffer can be logicallypositioned above a second event buffer to cause aggregated events topass from the first event buffer to the second event buffer after theevents are processed in the first event buffer.

In a specific implementation, the event buffers 508 function to receiveevent metadata for events aggregated together. The event buffers 508 cancollect event metadata of aggregated events for purposes of analyzingthe events to determine grouping/labeling of IoT devices in operation.For example, the event buffers 508 can collect received event metadataof aggregated events in an order that the event metadata is received forpurposes of analyzing the events to perform grouping/labeling of IoTdevices in operation.

The IoT device behavior identification engine 510 is intended torepresent an engine that functions to determine behaviors of an IoTdevice in operation to determine grouping of IoT devices in operation.The IoT device behavior identification engine 510 can determinebehaviors of an IoT device through neural network-based learning. Forexample, the IoT device behavior identification engine 510 can identifyDNS names that appear random from a volume DNS query through neuralnetwork-based learning. Additionally, the IoT device behavioridentification engine 510 can determine behaviors of an IoT device usingstate transition learning. For example, the IoT device behavioridentification engine 510 can identify behaviors of an IoT device inoperation from states of an IoT device for events and transitionsbetween events in the operation of the IoT device.

Furthermore, the IoT device behavior identification engine 510 canidentify behaviors based on network parameters. For example, the IoTdevice behavior identification engine 510 identifies behavior of an IoTdevice as “call home” behavior when the IoT device has called to itsmanufacturer to report status thereof. In another example, the IoTdevice behavior identification engine 510 identifies behavior of an IoTdevice based on frequency of data communication (e.g., frequency atwhich a telemetry IoT device sends measurement signals, such as heartbeats). In another example, the IoT device behavior identificationengine 510 identifies behavior of an IoT device based on a size of datacommunicated by the IoT device. In another example, the IoT devicebehavior identification engine 510 identifies behavior of an IoT devicebased on network protocol and remote port number used by the IoT device,packet header specific to a certain network protocol and a port numberused by the IoT device, bytes count of data (e.g., packets) sent orreceived by the IoT device, ratio between byte count of sent data tobyte count of received data, frequency at which similar sized packetsare sent to remote server, average latency between packets and thecorresponding variance, identification of servers contacted by the IoTdevice and connection time, network traffic associated with time of dayor day of the week regarding the IoT device, and periodic networkactivity that is automatically identified and correlated to applicationbehavior, to name a few.

In a specific implementation, the IoT device behavior identificationengine 510 functions to determine behaviors of an IoT device based onevents occurring in the operation of the IoT device and collected inevent buffers 508. More specifically, the IoT device behavioridentification engine 510 can determine events in operation of an IoTdevice by analyzing event metadata of aggregated events in event buffers508. For example, the IoT device behavior identification engine 510 candetermine an IoT device communicated with a specific source based onevent metadata of aggregated events in an event buffer 508. In anotherexample, the IoT device behavior identification engine 510 can determinean IoT device had a streaming application executing on it by analyzingevent metadata of aggregated events occurring at the IoT device andcollected into event buffers 508. The IoT device behavior identificationengine 510 can identify behaviors of an IoT device in operation byanalyzing aggregated events in an order that the events are collected inan event buffer 508.

The IoT device grouping model application engine 512 is intended torepresent an engine that functions to generate a context-based IoTdevice grouping model based on the aggregated events stored in the eventbuffer 508 and/or behavior determined by the IoT device behavioridentification engine 510. The IoT device grouping model applicationengine 512 generates context-based IoT device grouping model byemploying a machine learning scheme with respect to the aggregatedevents and/or the determined behavior. The machine learning scheme maybe based on one or more of algorithms, including but not limited to,tree ensemble based algorithm, a neural network based algorithm,classification based algorithms, and boosting algorithms. In a specificimplementation, the IoT device grouping model application engine 512 maysequentially employ two or more algorithms to generate a context-basedIoT device grouping model. In another specific implementation, the IoTdevice grouping model application engine 512 may generate two or morecontext-based IoT device grouping model employing different machinelearning algorithm and/or different combination of machine learningalgorithms. The IoT device grouping model application engine 512 storescontext-based IoT device grouping model data indicating context-basedIoT device grouping models in the context-based IoT device groupingmodel datastore 514.

The context-based IoT device grouping model datastore 514 is intended torepresent a datastore that functions to store context-based IoT devicegrouping model data indicating context-based IoT device grouping modelsfor use in performing grouping of IoT devices in operation.Context-based IoT device grouping model data stored in the context-basedIoT device grouping model datastore 514 can indicate either or bothcharacteristic and common behavior patterns of an IoT device in one ormore groups. For example, context-based IoT device grouping model datastored in the context-based IoT device grouping model datastore 514 canindicate remote systems an IoT device communicates with as part of itsregular behavior pattern for purposes of grouping IoT devices in thebehavior of the IoT device.

In a specific implementation, the context-based IoT device groupingmodel datastore 514 functions to store context-based IoT device groupingmodels maintained in a common language. Specifically, a context-basedIoT device grouping model stored in the context-based IoT devicegrouping model datastore 514 can be built in one language, e.g. Python,and then translated into a common language. For example, a context-basedIoT device grouping model stored in the context-based IoT devicegrouping model datastore 514 can include descriptions of characteristicor common behavior of IoT devices in a group, written in a commonlanguage such as java script object notation (hereinafter referred to“JSON”). A context-based IoT device grouping model stored in thecontext-based IoT device grouping model datastore 514 can be writtenoffline based on events occurring in historical data and then importedinto the context-based IoT device grouping model datastore 514 for usein grouping IoT devices in operation.

In a specific implementation, a context-based IoT device grouping modelstored in the context-based IoT device grouping model datastore 514includes personality description labels for grouping IoT devices capableof being detected through application of a model. Specifically, acontext-based IoT device grouping model stored in the context-based IoTdevice grouping model datastore 514 can include personality descriptionlabels for use in grouping IoT devices in operation. A personalitydescription label can include applicable data for grouping IoT devicesin operation. A personality description label can include commonbehavior of an IoT device categorized in a group or specific deviationsin behavior from characteristic and what is causing the IoT device tooperate according to the deviations in behavior from the characteristicor common behavior of a group. For the avoidance of doubt, in a specificimplementation, a personality description is not just about deviation;it describes normal behavior, as well. Machine learning approach,protocol, usage pattern, ID, manufacturer, MAC address, etc. can be usedto classify and label devices.

The IoT device grouping model application engine 516 is intended torepresent an engine that functions to perform grouping of IoT devices inoperation based on a context of the IoT device. The IoT device groupingmodel application engine 516 can determine grouping of an IoT device byapplying a context-based IoT device grouping model to determinedbehaviors of the IoT device and/or aggregated events in the event buffer508. For example, the IoT device grouping model application engine 516can apply a context-based IoT device grouping model to determinedifference from a characteristic or common behavior pattern of IoTdevices in one or more groups based on the context-based IoT devicegrouping model. The IoT device grouping model application engine 516 canapply a context-based IoT device grouping model to behaviors exhibitedby an IoT device as determined from aggregated events collected in anevent buffer 508. For example, the IoT device grouping model applicationengine 516 can apply a context-ebased IoT device grouping model tostreaming behaviors of an IoT device as determined from aggregatedstreaming events to determine grouping/labeling of the IoT device.

In a specific implementation, the IoT device grouping model applicationengine 518 functions to select a context-based IoT device grouping modelto apply for purposes of grouping/labeling IoT devices. The IoT devicegrouping model application engine 518 can determine a context-based IoTdevice grouping model to apply based on an event buffer 508 in whichaggregated events are collected. For example, if behaviors aredetermined from aggregated events in a specific event buffer 508, thenthe IoT device grouping model application engine 518 can select aspecific context-based IoT device grouping model associated with thespecific event buffer 508. Further, the IoT device grouping modelapplication engine 518 can select a context-based IoT device groupingmodel to apply based on either or both a context of an IoT device andcontexts of associated IoT devices. For example, if an IoT device ismanufactured by a specific manufacturer, then the IoT device groupingmodel application engine 518 can select a context-based IoT devicegrouping model created by modeling behavior of devices manufactured bythe specific manufacturer. Additionally, the IoT device grouping modelapplication engine 518 can select a context-based IoT device groupingmodel based on whether behaviors are determined from events that are oneor a combination of device sensor events, session events, applicationevents, user events, protocol events, and status events. For example, ifthe IoT device grouping model application engine 518 is applying a modelto behaviors of an IoT device determined from session events, then theIoT device grouping model application engine 518 can select acontext-based IoT device grouping model created from session eventsoccurring at an IoT device.

In a specific implementation, the IoT device grouping model applicationengine 518 functions to label one or more groups of IoT devices that isorganized based on application of a context-based IoT device groupingmodel. The IoT device grouping model application engine 518 can labelone or more groups of IoT devices according to personality descriptionlabels included as part of a context-based IoT device grouping model.For example, the IoT device grouping model application engine 518 canlabel a group of IoT devices as being characteristic of a thermostatusing personality description labels included as part of a context-basedIoT device grouping model.

The IoT device grouping result reporting engine 518 is intended torepresent an engine that functions to report grouping/labeling result ofan IoT device. The IoT device grouping result reporting engine 518 cangenerate and send a grouping/labeling result report including applicabledata related to grouping of IoT devices in operation. Specifically, theIoT device grouping result reporting engine 518 can generate and send agrouping/labeling result report including identifiers of groupsorganized as a result of the application of a context-based

IoT device grouping model, identifiers of IoT devices included in one ormore labeled groups, labeling of one or more labeled groups, identifiersof non-labeled groups, if any, and identifiers of IoT devices that arenot grouped, if any. For example, the IoT device grouping resultreporting engine 518 can generate and send a grouping/labeling resultreport indicating grouping/labeling of IoT devices in operation.

In a specific implementation, the IoT device grouping result reportingengine 518 functions to generate and send a grouping/labeling resultreport including a prediction accuracy degree to which an IoT device iscategorized in a group, with respect to one or more of IoT devices. Forexample, if an IoT device is deviating slightly from a characteristic orcommon behavior of typical IoT devices in the group, then the IoT devicegrouping result reporting engine 516 can included a lower predictionaccuracy degree in the grouping/labeling report.

In an example of operation of the example context-based IoT devicegrouping system 502 shown in FIG. 5 , the IoT device contextdetermination engine 504 determines a context of an IoT device inoperation. In the example of operation of the example system shown inFIG. 5 , the event collecting engine 506 receives aggregated eventsoccurring in the operation of the IoT device. Further, in the example ofoperation of the example system shown in FIG. 5 , the event collectingengine 506 collects the aggregated events in one of the event buffers508 based on the determined context of the IoT device. In the example ofoperation of the example system shown in FIG. 5 , the IoT devicebehavior identification engine 510 determines behaviors of the IoTdevice in operation based on the aggregated events in the event buffer508. In the example of operation of the example system shown in FIG. 5 ,the IoT device grouping model generation engine generates acontext-based IoT device grouping model based on the aggregated eventsstored in the event buffer 508 and/or behavior determined by the IoTdevice behavior identification engine 510. Additionally, in the exampleof operation of the example system shown in FIG. 5 , the IoT devicegrouping model application engine 516 performs grouping of IoT devicesin operation by applying the context-based IoT device grouping model tothe behaviors determined by the IoT device behavior identificationengine 510. In the example of operation of the example system shown inFIG. 5 , the IoT device grouping result reporting engine 518 generatesand sends a grouping/labeling result report based on grouping of the IoTdevices in operation performed by the IoT device grouping modelapplication engine 516.

FIG. 6 depicts a flowchart 600 of an example of a method for performinggrouping/labeling of IoT devices in operation using aggregated eventsoccurring in the operation of the IoT device. The flowchart 600 beginsat module 602, where event metadata of aggregated events occurringduring operation of an IoT device is received. An applicable engine forreceiving event metadata of aggregated events, such as the eventcollecting engines described in this paper, can receive event metadataof aggregated events. Event metadata of aggregated events can bereceived from an applicable system for aggregating events based on acontext of an IoT device, such as the context aware IoT eventaggregation systems described in this paper.

The flowchart 600 continues to module 604, where the aggregated eventsare collected into an event buffer. An applicable engine for collectingevents occurring during operation of an IoT device, such as the eventcollecting engines described in this paper, can collect the aggregatedevents into an event buffer. The aggregated events can be collected intoan event buffer based on a context of the IoT device. For example, theaggregated events can be collected into an event buffer associated witha specific user operating the device when the aggregated eventsoccurred. Additionally, the aggregated events can be collected into anevent buffer based on whether the events are one or a combination ofdevice sensor events, session events, application events, user events,protocol events, and status events.

The flowchart 600 continues to module 606, where behaviors of the IoTdevice in operation are determined from the aggregated events in theevent buffer. An applicable engine for determining behaviors of an IoTdevice, such as the IoT device behavior identification engines describedin this paper can determine behaviors of the IoT device in operationfrom the aggregated events in the event buffer. For example, states ofan IoT device in operation corresponding to behaviors of the IoT devicein operation can be determined from either or both the events themselvesor transitions between the events.

The flowchart 600 continues to module 608, where a context-based IoTdevice grouping and labeling model is generated based on the aggregatedevents stored in the event buffer and/or the determined behavior. Anapplicable engine for generating a context-based IoT device grouping andlabeling model, such as the IoT device grouping and labeling modelgeneration engines described in this paper, can generate a context-basedIoT device grouping and labeling model. In a specific implementation,the context-based IoT device grouping and labeling model is generated byemploying a machine learning scheme, i.e., one or more of tree ensemblebased algorithm, a neural network based algorithm, classification basedalgorithms, and boosting algorithms, with respect to the aggregatedevents and/or the determined behavior.

The flowchart 600 continues to module 610, where grouping of the IoTdevices are performed by applying a context-based IoT device groupingand labeling model to the determined behaviors and/or aggregated eventsof the IoT devices in operation. An applicable engine for applying acontext-based IoT device grouping and labeling model, such as the IoTdevice grouping and labeling model application engines described in thispaper, can apply a context-based IoT device grouping and labeling modelto the determined behaviors and/or aggregated events of the IoT devicesto perform grouping and labeling of the IoT devices. A context-based IoTdevice grouping and labeling model can be selected based on a context ofthe IoT device. Further, a context-based IoT device grouping andlabeling model can be selected based on whether the aggregated eventsare one or a combination of device sensor events, session events,application events, user events, protocol events, and status events.

The flowchart 600 continues to module 612, where a grouping and labelingresult report is generated based on grouping of IoT devices inoperation. An applicable engine for generating and sending a groupingand labeling result report based on grouping of the IoT devices inoperation, such as the IoT device grouping and labeling result reportingengines described in this paper, can generate a grouping and labelingresult report based on grouping and labeling of the IoT devices inoperation. A grouping and labeling result report can include adescription of how the IoT devices are operating to cause the groupingand labeling of the IoT devices in operation. Additionally, a groupingand labeling result report can include labels of one or more groupsorganized based on the application of the context-based IoT devicegrouping and labeling model.

FIG. 7 depicts a diagram 700 of an example context-based IoT devicegrouping model generation system 702. The context-based IoT devicegrouping model generation system 702 is intended to represent a systemthat functions to generate a context-based IoT device grouping modelbased on aggregated events and behaviors of IoT devices in operation.The context-based IoT device grouping model generation system 702 can beincluded as part of an applicable system for grouping IoT devices inoperation, such as the context-based IoT device grouping systemsdescribed in this paper. Additionally, the context-based IoT devicegrouping model generation system 702 can be implemented remote from anIoT device. For example, the context-based IoT device grouping modelgeneration system 702 can be implemented in the cloud remote from an IoTdevice for which the context-based IoT device grouping model generationsystem 702 generates a context-based IoT device grouping model.

The example context-based IoT device grouping model generation system702 shown in FIG. 7 includes event buffer(s) 704, an IoT device behaviordatastore 706, an IoT device grouping model building engine 708, an IoTdevice grouping model validation engine 710, an IoT device groupingmodel feedback engine 712, and a context-based IoT device grouping modeldatastore 714. In a specific implementation, the event buffer(s) 704,the IoT device behavior datastore 706, the IoT device grouping modelbuilding engine 708, the IoT device grouping model validation engine710, the IoT device grouping model feedback engine 712, and thecontext-based IoT device grouping model datastore 714 are interconnectedwith each other.

The event buffers 704 are intended to represent buffers used inprocessing events for building a context-based IoT device groupingmodel. The event buffers 704 can employ the same or similar structure asthe event buffers 508 depicted in FIG. 5 .

The IoT device behavior datastore 706 is intended to represent adatastore including behaviors of IoT devices in operation to build acontext-based IoT device grouping model. The behaviors of IoT devicesare determined based on the context of the IoT devices and aggregatedevents of the IoT devices by an applicable engine, such as the IoTdevice behavior identification engines described in this paper.

The IoT device grouping model building engine 708 is intended torepresent an engine that functions to build a context-based IoT devicegrouping model based on the aggregated events of IoT devices andbehaviors of the IoT devices, by employing a machine learning process.Depending upon implementation-specific or other considerations, themachine learning process includes one or more of machine learningalgorithms, including but not limited to, tree ensemble based algorithm(e.g., Random Forest), a neural network based algorithm (e.g., FNN),classification based algorithms (e.g., SVM), and boosting algorithms(e.g., XGB). In a particular implementation, a boosting algorithm ispreferably employed for the grouping of the IoT devices. In anotherparticular implementation, a plurality of machine learning algorithms isemployed in a sequential manner. For example, a context-based IoT devicegrouping model obtained through one machine learning algorithm isfurther utilized by another (or the same) machine learning algorithm togenerate a modified context-based IoT device grouping model. In anotherparticular implementation, a plurality of machine learning algorithms isemployed in a parallel manner. For example, a context-based IoT devicegrouping model obtained through each of a plurality of machine learningalgorithm is combined at a particular weight to generate a combinedcontext-based IoT device grouping model.

In a specific implementation, the IoT device grouping model buildingengine 708 functions to split the aggregated events and the determinedbehaviors of IoT devices into training data sets and testing data sets.The training data sets are used for building the context-based IoTdevice grouping model, and the testing data sets are used for validatingthe built context-based IoT device grouping model. For example, the IoTdevice grouping model building engine 708 randomly categorizesaggregated events and behaviors of a first part of the entire IoTdevices in operation as training data sets and categorizes aggregatedevents and behaviors of a second part of the entire IoT devices inoperation as testing data sets. Depending upon implementation-specificor other considerations, a ratio of the training data sets with respectto the testing data sets is 4/1 to 20/1, with a 10/1 yielding goodresults for relatively large sets; however the ratio of the trainingdata sets with respect to the testing data sets is not limited thereto.Further, depending upon implementation-specific or other considerations,the IoT device grouping model building engine 708 requests offlineinputs of actual grouping/labeling of IoT devices that are categorizedinto the testing data sets, by sending inquiries to users,administrators, vendors, and so on. The IoT device grouping modelbuilding engine 708 can also use unsupervised machine learning to buildmodels, but unsupervised machine learning provides groups, not labels.

In a specific implementation, the IoT device grouping model buildingengine 708 functions to select parameters of the IoT devices to be usedfor building the context-based IoT device grouping model, using theaggregated events and the behaviors of the IoT devices categorized intothe training data sets, in accordance with a certain machine learningalgorithm. For example, the IoT device grouping model building engine708 functions to increase or decrease, by a predetermined amount, weightof one or more parameters, which corresponds to one of the aggregatedevents and the behaviors, based on previously-set weight of parameterand a validation result of a previously-build context-based IoT devicegrouping model. Further, in a specific implementation, the IoT devicegrouping model building engine 708 functions to build a context-basedIoT device grouping model based on the selected parameters of thetraining data sets.

The IoT device grouping model validation engine 710 is intended torepresent an engine that functions to validate a context-based IoTdevice grouping model that has been built by the IoT device groupingmodel building engine 708, using the aggregated events and the behaviorsof IoT devices categorized into testing data sets by the IoT devicegrouping model building engine 708. In a specific implementation, theIoT device grouping model validation engine 710 determines, with respectto each of one or more IoT devices categorized into the testing datasets, whether or not a grouping/labeling result of the IoT devicesincluded in the testing data sets by applying the built context-basedIoT device grouping model matches actual grouping/labeling of the IoTdevices included in the testing data sets.

The IoT device grouping model feedback engine 712 is intended torepresent an engine that functions to carry out error handling withrespect a validation result obtained from the IoT device group modelvalidation engine 710. In carrying out the error handling, the IoTdevice grouping model feedback engine 712 determines a degree ofdeviation between the model-based grouping/labeling of the IoT devicesincluded in the testing data sets and the actual grouping/labeling ofthe IoT devices included in the testing data sets, and feeds back thedegree of deviation to the IoT device grouping model building engine708, such that the IoT device grouping model building engine 708 canbuild a more accurate context-based IoT device grouping model based onthe feedback.

The context-based IoT device grouping model datastore 714 is intended torepresent a datastore that functions to store context-based IoT devicegrouping model data indicating context-based IoT device grouping modelsthat have been validated by the IoT device grouping model validationengine 710. The context-based IoT device grouping model datastore 714can employ the same or similar structure as the context-based IoT devicegrouping model datastore 514 depicted in FIG. 5 .

In an example of operation of the example context-based IoT devicegrouping model generation system 702 shown in FIG. 7 , the IoT devicegrouping model building engine 708 splits the aggregated events and thedetermined behaviors of IoT devices into training data sets and testingdata sets. Also, in the example of operation of the example system shownin FIG. 7 , the IoT device grouping model building engine 708 selectsparameters of the IoT devices to be used for building the context-basedIoT device grouping model, using the aggregated events and the behaviorsof the IoT devices categorized into the training data sets. Further, inthe example of operation of the example system shown in FIG. 7 , the IoTdevice grouping model building engine 708 builds a context-based IoTdevice grouping model based on the selected parameters of the trainingdata sets. In the example of operation of the example system shown inFIG. 7 , the IoT device grouping model validation engine 710 validatesthe context-based IoT device grouping model that has been built by theIoT device grouping model building engine 708, using the aggregatedevents and the behaviors of IoT devices categorized into testing datasets. In the example of operation of the example system shown in FIG. 7, the IoT device grouping model feedback engine 712 carries out errorhandling with respect a validation result obtained from the IoT devicegroup model validation engine 710. In the example of operation of theexample system shown in FIG. 7 , a context-based IoT device groupingmodel that has been validated by the IoT device group model validationengine 710 is stored in the context-based IoT device grouping modeldatastore 714.

FIG. 8 depicts a flowchart 800 of an example of a method for generatinga context based IoT device grouping model. The flowchart 800 begins atmodule 802, where aggregated events and behaviors of IoT devices aresplit into training data sets and testing data sets. An applicableengine for splitting the aggregated events and behaviors of IoT devicesinto training data sets and testing data sets, such as the IoT devicegrouping model building engines described in this paper, can split theaggregated events and behaviors of IoT devices into training data setsand testing data sets. The aggregated events can be received from anapplicable engine for aggregating events based on a context of an IoTdevice, such as the event collecting engines described in this paper.The behaviors of IoT can be received from an applicable engine fordetermining behaviors of IoT devices, such as the IoT device behavioridentification engines described in this paper.

The flowchart 800 continues to decision block 804, where whetheraggregated events and behaviors of an IoT device is for an IoT devicecategorized into training data sets or for an IoT device categorizedinto testing data sets is determined. When the aggregated events andbehaviors of an IoT device is for an IoT device categorized into testingdata sets (No in decision block 804), the flowchart 800 continues tomodule 810. When the aggregated events and behaviors of an IoT device isfor an IoT device categorized into training data sets (Yes in decisionblock 804), the flowchart 800 continues to module 806, where parametersof the IoT devices to be used for building the context-based IoT devicegrouping model are selected, using the aggregated events and thebehaviors of the IoT devices categorized into the training data sets, inaccordance with a certain machine learning algorithm. An applicableengine for selecting parameters for a context-based IoT device groupingmodel, such as the IoT device grouping model building engines describedin this paper, can select parameters for a context-based IoT devicegrouping model.

The flowchart 800 continues to module 808, where a context-based IoTdevice grouping model is built based on the selected parameters of thetraining data sets. An applicable engine for building a context-basedIoT device grouping model, such as the IoT device grouping modelbuilding engines described in this paper, can build a context-based IoTdevice grouping model.

The flowchart 800 continues to module 810, where validation of acontext-based IoT device grouping model that has been built based on theselected parameters, using the aggregated events and the behaviors ofIoT devices categorized into testing data sets is carried out. Anapplicable engine for performing validation of a context-based IoTdevice grouping model, such as the IoT device grouping model validationengines described in this paper, can perform validation of acontext-based IoT device grouping model.

The flowchart 800 continues to decision point 812, where whether thedata set is labeled. When the data set is unlabeled (decision point 812,No), the flowchart 800 continues to module 814, where clustering-basedclassification for unlabeled data sets is carried out, and to decisionpoint 816 where it is determined whether the data set is grouped. Whenthe data set is ungrouped (decision point 816, No) the flowchartcontinues to module 818 where error handling of the built context-basedIoT device grouping model is carried out. In performing the errorhandling, a degree of deviation between the model-basedgrouping/labeling of the IoT devices included in the testing data setsand the actual grouping/labeling of the IoT devices included in thetesting data sets is determined, and the determined degree of deviationis fed back for selection of parameters carried out in module 806, whichwas described previously. An applicable engine for performing errorhandling of a built context-based IoT device grouping model, such as theIoT device grouping model feedback engines described in this paper, canperform error handling of a built context-based IoT device groupingmodel. as described previously. When, on the other hand, the data set isgrouped (decision point 816, Yes), the flowchart 800 continues to module820 where assisted labeling is conducted.

When the data set is labeled (decision point 812, Yes), the flowchart800 ends at module 822, where the validated context-based IoT devicegrouping model is stored in a datastore for application to IoT device ofwhich grouping/labeling has been not performed. The flowchart 800 alsoends at module 822 following assisted labeling (module 820).

FIG. 9 depicts a diagram 900 of an example context-based IoT devicegrouping model maintenance system 902. The context-based IoT devicegrouping model maintenance system 902 is intended to represent a systemthat maintains context-based IoT device grouping models for purposes ofgrouping/labeling IoT devices in operation. The context-based IoT devicegrouping model maintenance system 902 can be included as part of anapplicable system for grouping/labeling IoT devices in operation basedon context, such as the context-based IoT device grouping systemdescribed in this paper. Additionally, the context-based IoT devicegrouping model maintenance system 902 can be implemented remote from anIoT device. For example, the context-based IoT device grouping modelmaintenance system 902 can be implemented in the cloud remote from anIoT device whose behavior is monitored to perform grouping of the IoTdevices in operation.

The context-based IoT device grouping model maintenance system 902functions to generate and update context-based IoT device groupingmodels based on behaviors and/or aggregated events of IoT devices. Inmaintaining context-based IoT device grouping models based on behaviorsand/or aggregated events, the context-based IoT device grouping modelmaintenance system 902 can determine behaviors of IoT devices inoperation. For example, the context-based IoT device grouping modelmaintenance system 902 can determine behaviors of IoT devices inoperation based on aggregated events occurring during operation of theIoT devices. Additionally, the context-based IoT device grouping modelmaintenance system 902 can recognize behavior patterns from determinedbehaviors of IoT devices in maintaining a context-based IoT devicegrouping model. For example the context-based IoT device grouping modelmaintenance system 902 can recognize characteristic or common behaviorpatterns of IoT devices in one or more groups and build or update acontext-based IoT device grouping model based on the recognizedcharacteristic or common behavior patterns of the IoT devices in one ormore groups.

In a specific implementation, the context-based IoT device groupingmodel maintenance system 902 functions to maintain context-based IoTdevice grouping models offline. In maintaining context-based IoT devicegrouping models offline, the context-based IoT device grouping modelmaintenance system 902 can maintain the models at specific timesregardless of current operation of IoT devices. For example, thecontext-based IoT device grouping model maintenance system 902 canupdate context-based IoT device grouping models every day. Further acontext-based IoT device grouping model maintained by the context-basedIoT device grouping model maintenance system 902 can be shared betweendifferent users. For example, if a first user's IoT device is used tocreate a context-based IoT device grouping model, then the context-basedIoT device grouping model maintenance system 902 can share the modelwith another user unrelated to the first user.

In a specific implementation, the context-based IoT device groupingmodel maintenance system 902 functions to maintain a context-based IoTdevice grouping model included as part of either or both a personalityof an IoT device and a profile of a group of IoT devices. For example,the context-based IoT device grouping model maintenance system 902 canmaintain a context-based IoT device grouping model for instances when anIoT device is streaming data, included as part of a personality of theIoT device, based on streaming events occurring during operation of theIoT device. In another example, the context-based IoT device groupingmodel maintenance system 902 can maintain a context-based IoT devicegrouping model, included as part of a profile of a group of IoT devicesthat are grouped together based on a shared context, for session eventsoccurring during operation of the IoT devices.

The example context-based IoT device grouping model maintenance system902 shown in FIG. 9 includes an IoT device context determination engine904, an IoT device behavior identification engine 906, a deep learningbehavior pattern recognition engine 908, a learned state transitionbehavior pattern recognition engine 910, a behavior pattern modelingengine 912, and a context-based IoT device grouping model datastore 914.In a specific implementation, the IoT device context determinationengine 904, the IoT device behavior identification engine 906, the deeplearning behavior pattern recognition engine 908, the learned statetransition behavior pattern recognition engine 910, the behavior patternmodeling engine 912, and the context-based IoT device grouping modeldatastore 914 are coupled with each other.

The IoT device context determination engine 904 is intended to representan engine that functions to determine a context of an IoT device, suchas the IoT device context determination engines described in this paper.The IoT device context determination engine 904 can determine a contextof an IoT device based on events occurring in the operation of the IoTdevice. For example, if an IoT device is communicating with a webserver, then the IoT device context determination engine 904 candetermine that a web browser is executing at the IoT device.Additionally, the IoT device context determination engine 904 candetermine a context of an IoT device based on received user input. Forexample, a user can specify a type of data communicable by an IoT deviceand the IoT device context determination engine 904 can determine thetype of communication made by an IoT device based on a user input.

The IoT device behavior identification engine 906 is intended torepresent an engine that functions to identify behaviors of an IoTdevice in operation, such as the IoT device behavior identificationengines described in this paper. The IoT device behavior identificationengine 906 can determine behaviors of an IoT device based on eventsoccurring in the operation of the IoT device and collected in eventbuffers. More specifically, the IoT device behavior identificationengine 906 can determine events in operation of an IoT device byanalyzing event metadata of aggregated events in event buffers. Forexample, the IoT device behavior identification engine 906 can determinean IoT device received data used in executing a specific applicationfrom a remote source based on event metadata of aggregated events in anevent buffer. In another example, the IoT device behavior identificationengine 906 can determine an IoT device had a streaming applicationexecuting on it by analyzing event metadata of aggregated eventsoccurring at the IoT device and collected into event buffers.

The in-depth learning behavior pattern recognition engine 908 isintended to represent an engine that functions to recognize behaviorpatterns of IoT devices in operation. In-depth learning includessupervised classification, unsupervised clustering, and deep learning.The in-depth learning behavior pattern recognition engine 908 canrecognize behavior patterns of IoT devices by applying deep learning toidentified behaviors of an IoT device. For example, if an IoT device inexecuting a streaming application receives data at a specific frequency,then the in-depth learning behavior pattern recognition engine 908 canuse deep learning to associate the behavior of data being received at aspecific frequency with the behavior pattern of the streamingapplication executing at the IoT device. The in-depth learning behaviorpattern recognition engine 908 can use either or both deep learning orunsupervised clustering to recognize behavior patterns of IoT devices inoperation. For example, in-depth learning can be used to tell adifference between one model of X-ray machine and another due to theability to detect minor differences between usage patterns and labelcorrectly.

In a specific implementation, using in-depth learning to recognizebehavior patterns of IoT devices, the in-depth learning behavior patternrecognition engine 908 functions to generate a multi-layer neuralnetwork graph derived from classified behavior patterns using neuralnetwork-based learning. More specifically, the in-depth learningbehavior pattern recognition engine 908 can generate a multi-layerneural network graph of behavior patterns of an IoT device.

In a specific implementation, the deep learning behavior patternrecognition engine 908 can use deep learning to identify recognizedbehavior patterns of IoT devices in operation as either or bothcharacteristic or common behavior patterns of IoT devices in a specificgroup. For example, the deep learning behavior pattern recognitionengine 908 can identify a recognized behavior pattern as acharacteristic behavior pattern, e.g. it regularly occurs at an IoTdevice in a group. In another example, the deep learning behaviorpattern recognition engine 908 can identify a recognized behaviorpattern as a common behavior pattern.

The learned state transition pattern recognition engine 910 is intendedto represent an engine that functions to recognize behavior patterns ofIoT devices in operation using learned state transition-based learning.The learned state transition pattern recognition engine 910 canrecognize behavior patterns of IoT device in operation using learnedstate transition-based learning according to identified behaviorsoccurring during operation of an IoT device. More specifically, thelearned state transition pattern recognition engine 910 can applylearned state transition-based learning to events occurring duringoperation of an IoT device. For example, the learned state transitionpattern recognition engine 910 can define sets of states of an IoTdevice corresponding to events and transitions between events occurringin the operation of the IoT device. Further in the example, the learnedstate transition pattern recognition engine 910 can define a state of anIoT device in operation as being categorized in a specific group whenspecific events occur at the IoT device. A state defined by the learnedstate transition pattern recognition engine 910 can include variances inevents and transitions that when met still indicate an IoT device is atthe state.

In a specific implementation, the learned state transition patternrecognition engine 910 functions to maintain a state transition graph. Astate transition graph can include connected states defined for an IoTdevice in operation through state transition-based learning. Forexample, a state transition graph can connect a first state of a portscan being done to a second state of a DNS query being performed withinan hour of the port scan, which is indicative of a state indicative of aspecific group of IoT devices. Further in the example, a statetransition graph can connect the first state of the port scan occurringto the second state of the DNS query being performed to the state of IoTdevices categorized in a specific group.

In a specific implementation, the learned state transition patternrecognition engine 910 can use deep learning to identify recognizedbehavior patterns of IoT devices in operation as either or bothcharacteristic or common behavior patterns of IoT devices in a group.For example, the learned state transition pattern recognition engine 910can identify a recognized behavior pattern as a characteristic behaviorpattern of a group, e.g. it regularly occurs at an IoT device inoperation. In another example, the learned state transition patternrecognition engine 910 can identify a recognized behavior pattern as acommon behavior pattern of a group.

In a specific implementation, the deep learning behavior patternrecognition engine 908 and the learned state transition behavior patternrecognition engine 910 operate together to recognize behavior patternsof IoT devices. In operating together to recognize behavior patterns ofIoT devices, the deep learning behavior pattern recognition engine 908and the learned state transition behavior pattern recognition engine 910can apply corresponding deep learning behavior pattern recognition andlearned state transition-based learning pattern recognition to observedbehaviors until a behavior pattern for the observed behaviors isidentified. For example, if observed behaviors fail to conform to arecognized behavior pattern, e.g. as indicated through a neural networkgraph or a state transition graph, then either or both the deep learningbehavior pattern recognition engine 908 and the learned state transitionbehavior pattern recognition engine 910 can update corresponding models,e.g. the neural network graph or the state transition graph, to includea behavior pattern including the observed behaviors.

The behavior pattern modeling engine 912 is intended to represent anengine that functions to maintain context-based IoT device groupingmodels. In maintaining a context-based IoT device grouping model, thebehavior pattern modeling engine 912 can add recognized behaviorpatterns, both characteristic and common, to a context-based IoT devicegrouping model. In maintaining a context-based IoT device groupingmodel, the behavior pattern modeling engine 912 can generate and updatea context-based IoT device grouping model. For example, the behaviorpattern modeling engine 912 can update a context-based IoT devicegrouping model to include newly discovered characteristic or commonbehavior patterns of an IoT device in operation. In another example, ifa behavior pattern previously identified as characteristic or common hasbeen identified as non-characteristic or uncommon, e.g. deviating from acharacteristic or common behavior pattern, then the behavior patternmodeling engine 912 can update a context-based IoT device grouping modelto indicate the behavior pattern is non-characteristic or uncommon. Thebehavior pattern modeling engine 912 can maintain context-based IoTdevice grouping models based on behavior patterns of IoT devicesrecognized through an applicable technique. For example, the behaviorpattern modeling engine 912 can maintain context-based IoT devicegrouping models based on behavior patterns recognized through either orboth deep learning behavior pattern recognition and learned statetransition behavior pattern recognition.

In a specific implementation, the behavior pattern modeling engine 912functions to maintain context-based IoT device grouping models based ondetermined contexts of IoT devices. In maintaining context-based IoTdevice grouping models based on contexts of IoT devices, the behaviorpattern modeling engine 912 can associate a context-based IoT devicegrouping model with one or a plurality of contexts of an IoT device. Forexample, if a context-based IoT device grouping model was created usingrecognized behavior patterns of IoT devices categorized in a specificgroup, then the behavior pattern modeling engine 912 can associate themodel with the specific group. Further, in maintaining context-based IoTdevice grouping models based on contexts of IoT devices, the behaviorpattern modeling engine 912 can associate specific behavior patternswithin the model with contexts of IoT devices. For example, if abehavior pattern was formed from events observed at an IoT device whenthe IoT device was executing a web browser, then the behavior patternmodeling engine 912 can associate the behavior pattern with the contextof executing a web browser. Further, the behavior pattern modelingengine 912 can associate a context-based IoT device grouping or behaviorpatterns in the model with one or a combination of device sensor events,session events, application events, user events, protocol events, andstatus events. For example, if a behavior pattern in a model wasrecognized based on session events, then the behavior pattern modelingengine 912 can associate the model with session events.

In a specific implementation, the behavior pattern modeling engine 912functions to maintain a context-based IoT device grouping as part ofeither or both a personality of an IoT device and a profile of a groupof IoT devices. For example, the behavior pattern modeling engine 912can include a context-based IoT device grouping model maintained usingrecognized behavior patterns of a specific group of IoT devices as partof a personality for the IoT devices in the group. In another example,the behavior pattern modeling engine 912 can include a context-based IoTdevice grouping model maintained using recognized behavior patterns ofIoT devices in a specific group as part of a profile of the specificgroup of IoT devices.

In a specific implementation, the behavior pattern modeling engine 912functions to maintain a context-based IoT device grouping model in afirst language and generate a description of the IoT device groupingmodel in a common language, as included as part of the model. Forexample, the behavior pattern modeling can describe recognized behaviorpatterns in a context-based IoT device grouping model in JSON. Inanother example, the behavior pattern modeling engine 912 can writegroup description labels in a common language, e.g. in JSON, for use inlabeling groups corresponding to recognized behavior patterns. As aresult, users are able to interpret why an IoT device is categorized ina group rather than just simply being informed simply that the IoTdevice is categorized in a group.

The context-based IoT device grouping model datastore 914 is intended torepresent a datastore that functions to store context-based IoT devicegrouping model data, such as the context-based IoT device grouping modeldatastores described in this paper. Context-based IoT device groupingmodel data stored in the context-based IoT device grouping modeldatastore 914 can be maintained by an applicable engine for maintainingcontext-based IoT device grouping models based on recognized behaviorpatterns of IoT devices in operation, such as the behavior patternmodeling engines described in this paper. Context-based IoT devicegrouping model data stored in the context-based IoT device groupingmodel datastore 914 can indicate context-based IoT device groupingmodels, contexts associated with context-based IoT device groupingmodels, descriptions of context-based IoT device grouping models, e.g.written in a common language, and group description labels included aspart of a context-based IoT device grouping model.

In an example of operation of the example context-based IoT devicegrouping model maintenance system 902 shown in FIG. 9 , the IoT devicecontext determination engine 904 determines a context of an IoT devicein operation. In the example of operation of the example system shown inFIG. 9 , the IoT device behavior identification engine 906 determinesbehaviors of an IoT device in operation. Further, in the example ofoperation of the example system shown in FIG. 9 , the deep learningbehavior pattern recognition engine 908 recognizes behavior patterns ofan IoT device in operation through deep learning machine learning usingthe behaviors identified by the IoT device behavior identificationengine 906. In the example of operation of the example system shown inFIG. 9 , the learned state transition behavior pattern recognitionengine 910 recognized behavior patterns of the IoT device in operationthrough learned state transition-based learning using the behaviorsidentified by the IoT device behavior identification engine 906.Additionally, in the example of operation of the example system shown inFIG. 9 , the behavior pattern modeling engine 912 maintains acontext-based IoT device grouping model based on the behavior patternsrecognized by the deep learning behavior pattern recognition engine 908and the learned state transition behavior pattern recognition engine910.

FIG. 10 depicts a flowchart 1000 of an example of a method formaintaining a context-based IoT device grouping model for use inperforming grouping of IoT devices in operation. The flowchart 1000begins at module 1002, where a context of an IoT device in operation isdetermined. An applicable engine for determining a context of an IoTdevice in operation, such as the IoT device context determinationengines described in this paper, can determine a context of an IoTdevice in operation. A context of an IoT device can be determined basedon events occurring in the operation of the IoT device. For example, ifan IoT device is communicating with a web server, then it can bedetermined a web browser is executing at the IoT device. Additionally, acontext of an IoT device can be determined based on received user input.For example, a user can specify a type of data communicable by an IoTdevice and an IoT device context can be determined indicating the typeof communicable data by the IoT device.

The flowchart 1000 continues to module 1004, where behaviors of the IoTdevice in operation are determined. An applicable engine for determiningbehaviors of an IoT device in operation, such as the IoT device behavioridentification engines described in this paper, can determine behaviorsof the IoT device in operation. Behaviors of the IoT device in operationcan be determined based on aggregated events occurring in the operationof the IoT device. More specifically, behaviors of an IoT device inoperation can be determined from event metadata of aggregated eventscollected in an event buffer.

The flowchart 1000 continues to module 1006, where behavior patterns ofthe IoT device in operation are recognized. Behavior patterns of the IoTdevice in operation can be recognized by an applicable engine for usingdeep learning machine learning to recognize behavior patterns of an IoTdevice, such as the deep learning behavior pattern recognition enginesdescribed in this paper. Additionally, behavior patterns of the IoTdevice in operation can be recognized by an applicable engine for usinglearned state transition-based learning to recognize behavior patternsof an IoT device, such as the learned state transition patternrecognition engines described in this paper. Behavior patterns of theIoT device in operation can be recognized from determined behaviors ofthe IoT device in operation.

The flowchart 1000 continues to module 1008, where a context-based IoTdevice grouping model is maintained based on the recognized behaviorpatterns of the IoT device. An applicable engine for maintainingcontext-based IoT device grouping model, such as the behavior patternmodeling engines described in this paper, can maintain a context-basedIoT device grouping model. A context-based IoT device grouping model canbe maintained based on either or both recognized behavior patterns andcontexts of an IoT device in operation.

FIG. 11 depicts a diagram 1100 of an example of a system for determiningundesired behavior of IoT devices in operation. The system shown in theexample of FIG. 11 includes a local network 1102, a cloud 1104, and athird party cloud 1106. The local network 1102 is intended to representa network formed by at least one IoT device and a local appliance.

In the example of FIG. 11 , the local network 1102 includes a contextaware IoT aggregation system 1108. The context aware IoT aggregationsystem 1108 is intended to represent a system that functions toaggregate events for purposes of detecting undesired behavior inoperation of IoT devices, such as the context aware IoT aggregationsystems described in this paper. The context aware IoT aggregationsystem 1108 can be implemented as part of a local appliance forming partof the local network 1102. In being implemented as part of a localappliance, the context aware IoT aggregation system 1108 can locallyaggregate events for purposes of grouping IoT devices in operation.

In the example system shown in FIG. 11 , the cloud 1104 includes acontext-based IoT device grouping system 1110 and a context-based IoTdevice grouping model maintenance system 1112. The context-based IoTdevice grouping system 1110 is intended to represent a system thatfunctions to perform grouping of IoT devices based on context, such asthe context-based IoT device grouping systems described in this paper.The context-based IoT device grouping model maintenance system 1112 isintended to represent a system that functions to maintain context-basedIoT device grouping models for purposes of performing grouping of theIoT devices in operation, such as the context-based IoT device groupingmodel maintenance system described in this paper. The cloud 1104 can bespecific to a private entity. The context-based IoT device groupingsystem 1110 can receive event metadata of aggregated events through VPNtunnels from the context aware IoT device aggregation system 1108implemented at the local network 1102. The context-based IoT devicegrouping system 1110 can use received event metadata of aggregatedevents to perform grouping of the IoT devices in operation.

In the example system shown in FIG. 11 , the third party cloud 1106 isintended to represent a cloud that receives context-based IoT devicegrouping models through VPN tunnels. The third party cloud 1106 receivescontext-based IoT device grouping model data indicating context-basedIoT device grouping models through VPN tunnels from the context-basedIoT device grouping model maintenance system 1112 implemented at thecloud 1104. The third party cloud 1106 can be associated with or used bya third party management system for managing IoT devices.

FIG. 12 depicts a diagram 1200 of another example of a system forgrouping IoT devices in operation. The system shown in the example ofFIG. 12 includes a local network 1202, a third party cloud 1204, and acloud 1206. The local network 1202 is intended to represent a networkformed by at least one IoT device and a local appliance. The localnetwork 1202 includes a context aware IoT event aggregation system 1208.The context aware IoT aggregation system 1208 is intended to represent asystem that functions to aggregate events for purposes of grouping IoTdevices in operation, such as the context aware IoT aggregation systemsdescribed in this paper. The context aware IoT aggregation system 1208can be implemented as part of a local appliance forming part of thelocal network 1202. In being implemented as part of a local appliance,the context aware IoT aggregation system 1208 can locally aggregateevents for purposes of grouping IoT devices in operation.

In the system shown in the example of FIG. 12 , the third party cloud1204 receives event metadata from the context aware IoT eventaggregation system 1208 implemented at the local network 1202. The thirdparty cloud 1204 can be associated with or used by a third partymanagement system for managing IoT devices.

In the example system shown in FIG. 12 , the cloud 1206 includes acontext-based IoT device grouping system 1210 and a context-based IoTdevice grouping model maintenance system 1212. The context-based IoTdevice grouping system 1210 is intended to represent a system thatfunctions to perform grouping of IoT devices based on context, such asthe context-based IoT device grouping systems described in this paper.The context-based IoT device grouping model maintenance system 1212 isintended to represent a system that functions to maintain context-basedIoT device grouping models for purposes of performing grouping of theIoT devices in operation, such as the context-based IoT device groupingmodel maintenance system described in this paper. The context-based IoTdevice grouping system 1210 can receive event metadata, through VPNtunnels from the third party cloud 1204, which are received at the thirdparty cloud 1204 from the context aware IoT event aggregation system1208 implemented at the local network 1202. The context-based IoT devicegrouping system 1210 can use event metadata received through VPN tunnelsfrom the third party cloud 1204 to perform grouping of IoT devices inoperation.

The context-based IoT device grouping model maintenance system 1212 cansend maintained context-based IoT device grouping models back to thethird party cloud 1204 through VPN tunnels. The context-based IoT devicegrouping system 1210 can send grouping/labeling result reports back tothe third party cloud 904 through VPN tunnels.

FIG. 13 depicts a diagram 1300 of an example of a system for performinggrouping of IoT devices in operation. The system shown in the example ofFIG. 13 includes a local network 1302, a cloud 1304, and a third partycloud 1306. The local network 1302 is intended to represent a networkformed by at least one IoT device and a local appliance.

In the example of FIG. 13 , the local network 1302 includes a contextaware IoT aggregation system 1308. The context aware IoT aggregationsystem 1308 is intended to represent a system that functions toaggregate events for purposes of performing grouping of IoT devices inoperation, such as the context aware IoT aggregation systems describedin this paper. The context aware IoT aggregation system 1308 can beimplemented as part of a local appliance forming part of the localnetwork 1302. In being implemented as part of a local appliance, thecontext aware IoT aggregation system 1308 can locally aggregate eventsfor purposes of performing grouping of IoT devices in operation.

In the example system shown in FIG. 13 , the cloud 1304 includes acontext-based IoT device grouping system 1310 and a context-based IoTdevice grouping model maintenance system 1312. The context-based IoTdevice grouping system 1310 is intended to represent a system thatfunctions to perform grouping of IoT devices in operation based oncontext, such as the context-based IoT device grouping systems describedin this paper. The context-based IoT device grouping model maintenancesystem 1312 is intended to represent a system that functions to maintaincontext-based IoT device grouping models for purposes of performinggrouping of the IoT devices in operation, such as the context-based IoTdevice grouping model maintenance system described in this paper. Thecloud 1304 can be specific to a private entity. The context-based IoTdevice grouping system 1310 can receive event metadata of aggregatedevents from the context aware IoT device aggregation system 1308implemented at the local network 1302. The context-based IoT devicegrouping system 1310 can use received event metadata of aggregatedevents to perform grouping of IoT devices in operation.

In the example system shown in FIG. 13 , the third party cloud 1306 isintended to represent a cloud that receives context-based IoT devicegrouping models. The third party cloud 1306 receives context-based IoTdevice grouping model data indicating context-based IoT device groupingmodels from the context-based IoT device grouping model maintenancesystem 1312 implemented at the cloud 1304. The third party cloud 1306can be associated with or used by a third party management system formanaging IoT devices.

FIG. 14 depicts a diagram 1400 of another example of a system forgrouping IoT devices in operation. The system shown in the example ofFIG. 14 includes a local network 1402, a third party cloud 1404, and acloud 1406. The local network 1402 is intended to represent a networkformed by at least one IoT device and a local appliance. The localnetwork 1402 includes a context aware IoT event aggregation system 1408.The context aware IoT aggregation system 1408 is intended to represent asystem that functions to aggregate events for purposes of performinggrouping of IoT devices in operation, such as the context aware IoTaggregation systems described in this paper. The context aware IoTaggregation system 1408 can be implemented as part of a local applianceforming part of the local network 1402. In being implemented as part ofa local appliance, the context aware IoT aggregation system 1408 canlocally aggregate events for purposes of performing grouping of IoTdevices in operation.

In the system shown in the example of FIG. 14 , the third party cloud1404 receives event metadata from the context aware IoT eventaggregation system 1408 implemented at the local network 1402. The thirdparty cloud 1404 can be associated with or used by a third partymanagement system for managing IoT devices.

In the example system shown in FIG. 14 , the cloud 1406 includes acontext-based IoT device grouping system 1410 and a context-based IoTdevice grouping model maintenance system 1412. The context-based IoTdevice grouping system 1410 is intended to represent a system thatfunctions to perform grouping of IoT devices based on context, such asthe context-based IoT device grouping systems described in this paper.The context-based IoT device grouping model maintenance system 1412 isintended to represent a system that functions to maintain context-basedIoT device grouping models for purposes of performing grouping of theIoT devices in operation, such as the context-based IoT device groupingmodel maintenance system described in this paper. The context-based IoTdevice grouping system 1410 can receive event metadata, from the thirdparty cloud 1404, which are received at the third party cloud 1404 fromthe context aware IoT event aggregation system 1408 implemented at thelocal network 1402. The context-based IoT device grouping system 1410can use event metadata received from the third party cloud 1104 toperform grouping of IoT devices in operation.

The context-based IoT device grouping model maintenance system 1412 cansend maintained context-based IoT device grouping models back to thethird party cloud 1404. The context-based IoT device grouping system1410 can send grouping/labeling result reports back to the third partycloud 1404.

FIG. 15 depicts a diagram 1500 of another example of a system forperforming grouping of IoT devices in operation. The system shown in theexample of FIG. 15 includes a local network 1502 and a third party cloud1504. The local network 1502 includes a context aware IoT eventaggregation system 1506. The context aware IoT event aggregation system1506 is intended to represent a system that functions to aggregateevents for purposes of performing grouping of IoT devices in operation,such as the context aware IoT event aggregation systems described inthis paper.

In the system shown in the example of FIG. 15 , the third party cloud1504 includes a context-based IoT device grouping system 1508 and acontext-based IoT device grouping model maintenance system 1510. Thecontext-based IoT device grouping system 1508 is intended to representan applicable system for grouping IoT devices based on context, such asthe context-based IoT device grouping systems described in this paper.The context-based IoT device grouping system 1508 can perform groupingof IoT devices in operation based on event metadata received from thecontext aware IoT device aggregation system 1506. The context-based IoTdevice grouping model maintenance system 1510 is intended to represent asystem that functions to maintain context-based IoT device groupingmodels for purposes of performing grouping of the IoT devices inoperation, such as the context-based IoT device grouping modelmaintenance system described in this paper.

FIG. 16 depicts a diagram 1600 of an example of a system for detectingundesired behavior in IoT device operation through a mirror port. Thesystem shown in the example of FIG. 16 includes a mirror port 1602, anIoT device 1604, a source/destination 1606, and a context-based IoTdevice grouping system 1608. The mirror port 1602 is intended torepresent a device that functions to perform port mirroring on anotherport. The mirror port 1602 can be used to obtain data packetstransmitted to and from IoT devices without disrupting the flow of thedata packets. The mirror port 1602 can be implemented as part ofswitches or other applicable networking devices. Additionally, themirror port 1602 can be implemented on network devices in a LAN of IoTdevices, or on network devices in a WAN of IoT devices. For example, themirror port 1602 can be implemented as part of a local router in anenterprise network of IoT devices. Further in the example, in beingimplemented as part of the local router in an enterprise network, themirror port 1602 can be used to obtain data packets transmitted betweenIoT devices in the enterprise network, e.g. intranetwork traffic.

In the example of FIG. 16 , the IoT device 1604 is intended to representa device that includes wired or wireless interfaces through which theIoT device 1604 can send and receive data over wired and wirelessconnections. The IoT device 1604 can include unique identifiers whichcan be used in the transmission of data through a network. Uniqueidentifiers of the IoT device 1604 can include identifiers created inaccordance with Internet Protocol version 4 (hereinafter referred to as“IPv4”), or identifiers created in accordance with Internet Protocolversion 6 (hereinafter referred to as “IPv6”), of which both protocolversions are hereby incorporated by reference.

In the example of FIG. 16 , the source/destination 1606 is intended torepresent a system accessible by IoT devices through, e.g., a WAN. Forexample, the source/destination 1606 can be a system that an IoT device1604 communicates with over the Internet. Alternatively, thesource/destination 1606 can be a system or device within a LAN of an IoTdevice. For example, the source/destination 1606 can be another IoTdevice in a LAN over which an IoT device communicates.

In the example of FIG. 16 , the context-based IoT device grouping system1608 is intended to represent a system that functions to performgrouping of IoT devices in operation, such as the context-based IoTdevice grouping systems described in this paper. The context-based IoTdevice grouping system 1608 functions to perform grouping of IoT devicesin operation based on event metadata generated from data packetstransmitted to and from the IoT devices 1604. The context-based IoTdevice grouping system 1608 can obtain event metadata through a mirrorport, without interrupting the flow of the data packets between sourcesand destinations.

FIG. 17 depicts a diagram 1700 of an example of a IoT devicegrouping/labeling management system. The example system shown in FIG. 17can be included as part of an applicable system for grouping andlabeling IoT devices in operation based on context, such as the contextaware IoT device identification systems described in this paper.Applicable portions of the system shown in FIG. 17 can be implementedlocally with respect to an IoT device, e.g. at a device within a LAN ofthe IoT device. Additionally, applicable portions of the system shown inFIG. 17 can be implemented remote from an IoT device, e.g. in a cloud.

The example system shown in FIG. 17 includes an IoT device eventenrichment and aggregation engine 1702, an IoT grouping model generationengine 1704, an IoT grouping rule generation engine 1706, a groupinglabel datastores 1708, an IoT grouping/labeling prediction engine 1710,an assisted grouping/labeling engine 1712, a device inventory 1714, anda UI presentation engine 1716. In the system show in FIG. 17 , the IoTdevice event enrichment and aggregation engine 1702 is intended torepresent an engine that functions to enrich raw event metadata receivedbased on operation of an IoT device. The IoT device event enrichment andaggregation engine 1702 can receive raw metadata in the form of datapackets or portions of data packets transmitted to and from an IoTdevice in operation of the IoT device. In enriching raw event metadata,the IoT device event enrichment and aggregation engine 1702 can identifyan IoT device and assign a context to the IoT device.

The IoT grouping model generation engine 1704 is intended to representan engine that receives enriched metadata to generate a context-basedIoT device grouping model. The IoT grouping model generation engine 1704receives the enriched metadata from the IoT device event enrichment andaggregation engine 1702. In maintaining a context-based IoT devicegrouping model based on enriched metadata, the IoT device grouping modelgeneration engine 1704 can establish profiles of groups of IoT devices.Additionally, in maintaining the context-based IoT device groupingmodel, the IoT device grouping model generation engine 1704 canaggregate and create permutations of the enriched metadata to generateaggregated metadata permutations. For example, the IoT device groupingmodel generation engine 1704 can group together all enriched metadatarelated to streaming events at the IoT device together to generateaggregated metadata permutations.

The IoT grouping rule generation engine 1706 is intended to represent anengine that functions to define an IoT device grouping/labeling rulebased on the context-based IoT device grouping model generated by theIoT grouping model generation engine 1704. The IoT grouping rulegeneration engine 1706 stores defined labels and group profilecorresponding to one or more defined labels in the grouping labeldatastores 1708.

The IoT grouping/labeling prediction engine 1710 is intended torepresent an engine that functions to predict grouping and labeling ofIoT device in operation based on the defined labels and group profilesthat are defined by the IoT grouping rule generation engine 1706 andstored in the grouping label datastore 1708.

The assisted grouping/labeling engine 1712 is intended to represent anengine that functions to perform assisted grouping/labeling based on aprediction result made by the IoT grouping/labeling prediction engine1710. For example, when the grouping/labeling prediction is notsuccessfully obtained in the prediction result made by the IoTgrouping/labeling prediction engine 1710, the assisted grouping/labelingengine 1712 carries out assisted grouping/labeling based on offlineinputs made by users, customers, administrators, vendors, and so on,which are triggered, for example, by inquiries made by the assistedgrouping/labeling engine 1712. The assisted grouping/labeling engine1712 provides results of assisted grouping/labeling to the IoT groupingrule generation engine 1706, such that the IoT grouping rule generationengine 1706 can update the IoT device grouping/labeling rule based onthe assisted grouping/labeling carried out by the assistedgrouping/labeling engine 1712. The assisted grouping/labeling engine1712 also stores a result of the grouping/labeling prediction, alongwith a result of the assisted grouping/labeling, if any, to the deviceinventory 1714.

The UI presentation engine 1716 is intended to represent an engine thatfunctions to perform presentation of a result of grouping/labelingprediction that is made based on the IoT device grouping/labeling ruleand/or the assisted grouping/labeling based on offline inputs. Forexample, the UI presentation engine 1716 visually presents the result ofgrouping/labeling prediction and/or the assisted grouping/labeling to acustomer dashboard as a graphical user interface (GUI), such that thecustomer can manage IoT devices in operation based on the result ofgrouping/labeling prediction and/or the assisted grouping/labeling.

FIG. 18 is a diagram of an example of a cloud-based grouping andlabeling engine with semi-autonomous grouping and labeling engines. Thediagram 1800 includes a cloud-based grouping and labeling engine 1802and a plurality of semi-autonomous grouping and labeling engines 1804-1to 1804-n (collectively, the semi-autonomous grouping and labelingengines 1804). FIG. 18 is intended to illustrate how grouping andlabeling functionality can be carried out at a relatively low level atthe semi-autonomous grouping and labeling engines 1804, which may beassociated with individual subnets, distinct enterprise networks, homenetworks, or the like. The grouping and labeling functionality can alsobe carried out at a relatively high level at the cloud-based groupingand labeling engine 1802.

These and other examples provided in this paper are intended toillustrate but not necessarily to limit the described implementation. Asused herein, the term “implementation” means an implementation thatserves to illustrate by way of example but not limitation. Thetechniques described in the preceding text and figures can be mixed andmatched as circumstances demand to produce alternative implementations.

What is claimed is:
 1. A method comprising: identifying a first set ofraw events associated with a first Internet of Things (IoT) device inoperation, wherein at least one raw event included in the first set ofraw events is a transmission made by the first IoT device; determining,based at least in part on a communication manner of the first IoTdevice, a first time period, and generating one or more formatted eventsof the first IoT device in operation, at least in part by examining thefirst set of raw events over the first time period; using the one ormore formatted events of the first IoT device in operation to extract aset of features of the first IoT device in operation; identifying asecond set of raw events associated with a second IoT device inoperation, wherein at least one raw event included in the second set ofraw events is a transmission made by the second IoT device; determining,based at least in part on a communication manner of the second IoTdevice, a second time period that is different from the first timeperiod, and generating one or more formatted events of the second IoTdevice in operation, at least in part by examining the second set of rawevents over the second time period; using the one or more formattedevents of the second IoT device in operation to extract a set offeatures of the second IoT device in operation; generating acontext-based IoT device grouping model based at least in part on atleast one of: (1) the extracted set of features of the first IoT devicein operation or (2) the extracted set of features of the second IoTdevice in operation; applying the generated context-based IoT devicegrouping model to determine that a third IoT device belongs to aparticular group; and detecting, as an undesired behavior, a deviationby the third IoT device from group behavior, and generating an alert inresponse.
 2. The method of claim 1, further comprising: transforming atleast a portion of raw events included in the first set of raw eventsinto a format suitable for grouping and labeling the first IoT device.3. The method of claim 1, further comprising: transforming at least aportion of raw events included in the first set of raw events intodiscrete events.
 4. The method of claim 1, further comprising:transforming at least a portion of raw events included in the first setof raw events into composite events comprising multiple eventparameters.
 5. The method of claim 1, wherein at least one raw eventincluded in the first set of raw events is a message transmitted to thefirst IoT device, and wherein the method further comprises: examiningthe message transmitted to the first IoT device to determine an eventwhich can subsequently be timestamped to create a formatted event of thefirst IoT device in operation.
 6. The method of claim 1, furthercomprising enriching at one raw event included in the first set of rawevents based at least in part on obtained additional context about thefirst IoT device in operation.
 7. The method of claim 1, furthercomprising: aggregating a plurality of events occurring during the firsttime period to form a set of aggregated events.
 8. The method of claim7, further comprising: transmitting event metadata of the set ofaggregated events to a remote system for purposes of performing groupingof the first and third IoT devices.
 9. The method of claim 1, furthercomprising: determining that grouping the first and third IoT devices isunsuccessful, and carrying out assisted grouping and labeling of thefirst and third IoT devices.
 10. The method of claim 1, furthercomprising: determining that a new IoT device label has been added, andperforming a new grouping operation on at least one of the first andsecond IoT devices.
 11. A system comprising: a processor configured to:identify a first set of raw events associated with a first Internet ofThings (IoT) device in operation, wherein at least one raw eventincluded in the first set of raw events is a transmission made by thefirst IoT device; determine, based at least in part on a communicationmanner of the first IoT device, a first time period, and generate one ormore formatted events of the first IoT device in operation, at least inpart by examining the first set of raw events over the first timeperiod; use the one or more formatted events of the first IoT device inoperation to extract a set of features of the first IoT device inoperation; identify a second set of raw events associated with a secondIoT device in operation, wherein at least one raw event included in thesecond set of raw events is a transmission made by the second IoTdevice; determine, based at least in part on a communication manner ofthe second IoT device, a second time period that is different from thefirst time period, and generate one or more formatted events of thesecond IoT device in operation, at least in part by examining the secondset of raw events over the second time period; use the one or moreformatted events of the second IoT device in operation to extract a setof features of the second IoT device in operation; generate acontext-based IoT device grouping model based at least in part on atleast one of: (1) the extracted set of features of the first IoT devicein operation or (2) the extracted set of features of the second IoTdevice in operation; apply the generated context-based IoT devicegrouping model to determine that a third IoT device belongs to aparticular group; and detect, as an undesired behavior, a deviation bythe third IoT device from group behavior, and generate an alert inresponse; and a memory coupled to the processor and configured toprovide the processor with instructions.
 12. A computer program productembodied on a non-transitory medium, the computer program productincluding instructions which, when the program is executed by acomputer, cause the computer to carry out a method comprising:identifying a first set of raw events associated with a first Internetof Things (IoT) device in operation, wherein at least one raw eventincluded in the first set of raw events is a transmission made by thefirst IoT device; determining, based at least in part on a communicationmanner of the first IoT device, a first time period, and generating oneor more formatted events of the first IoT device in operation, at leastin part by examining the first set of raw events over the first timeperiod; using the one or more formatted events of the first IoT devicein operation to extract a set of features of the first IoT device inoperation; identifying a second set of raw events associated with asecond IoT device in operation, wherein at least one raw event includedin the second set of raw events is a transmission made by the second IoTdevice; determining, based at least in part on a communication manner ofthe second IoT device, a second time period that is different from thefirst time period, and generating one or more formatted events of thesecond IoT device in operation, at least in part by examining the secondset of raw events over the second time period; using the one or moreformatted events of the second IoT device in operation to extract a setof features of the second IoT device in operation; generating acontext-based IoT device grouping model based at least in part on atleast one of: (1) the extracted set of features of the first IoT devicein operation or (2) the extracted set of features of the second IoTdevice in operation; applying the generated context-based IoT devicegrouping model to determine that a third IoT device belongs to aparticular group; and detecting, as an undesired behavior, a deviationby the third IoT device from group behavior, and generating an alert inresponse.